diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..307833f --- /dev/null +++ b/.gitignore @@ -0,0 +1,336 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore + +# User-specific files +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUNIT +*.VisualState.xml +TestResult.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ +**/Properties/launchSettings.json + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_i.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# JustCode is a .NET coding add-in +.JustCode + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# JetBrains Rider +.idea/ +*.sln.iml + +# CodeRush +.cr/ + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Visual Studio Code +.vscode/ + +# Custom +*/testreport.html \ No newline at end of file diff --git a/ATAPAuditor/ATAPAuditor.psd1 b/ATAPAuditor/ATAPAuditor.psd1 new file mode 100644 index 0000000..1dc77cf --- /dev/null +++ b/ATAPAuditor/ATAPAuditor.psd1 @@ -0,0 +1,45 @@ +@{ +RootModule = 'ATAPAuditor.psm1' +ModuleVersion = '5.12.1' +GUID = '1662a599-4e3a-4f72-a844-9582077b589e' +Author = 'Phan Quang Nguyen, Daniel Ströher, Robin Wernz' +CompanyName = 'FB Pro GmbH' +Copyright = '(c) 2025 FB Pro GmbH. All rights reserved.' +Description = 'AuditTAP allows you to check operating systems and applications against industry approved standards for secure configuration and delivers the results in form of a HTML based report document.' +PowerShellVersion = '5.0' +RequiredModules = @( + 'ATAPHtmlReport' +) +# RequiredAssemblies = @() +# ScriptsToProcess = @() +# TypesToProcess = @() +# FormatsToProcess = @() +# NestedModules = @() +FunctionsToExport = @( + 'Save-ATAPHtmlReport' + 'Invoke-ATAPReport' + 'Get-ATAPReport' + 'Get-AuditResource' + 'Test-AuditGroup' +) +CmdletsToExport = @() +VariablesToExport = '' +AliasesToExport = @( + 'shr' +) +# ModuleList = @() +# FileList = @() +PrivateData = @{ + PSData = @{ + Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html') + LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' + ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' + # IconUri = '' + # ReleaseNotes = '' + + } # End of PSData hashtable + +} # End of PrivateData hashtable +# HelpInfoURI = '' +# DefaultCommandPrefix = 'ATAP' +} diff --git a/ATAPAuditor/ATAPAuditor.psm1 b/ATAPAuditor/ATAPAuditor.psm1 new file mode 100644 index 0000000..0a85d54 --- /dev/null +++ b/ATAPAuditor/ATAPAuditor.psm1 @@ -0,0 +1,931 @@ +using namespace Microsoft.PowerShell.Commands + +#region Initialization + +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +. "$RootPath\Helpers\HashHelper.ps1" + +$script:atapReportsPath = $env:ATAPReportPath +if (-not $script:atapReportsPath) { + $script:atapReportsPath = [Environment]::GetFolderPath('MyDocuments') | Join-Path -ChildPath 'ATAPReports' +} + +# for license status function. if called multiple times the cache will be used +$LicenseStatusCache = $null +#endregion + +#region Classes +class AuditTest { + [string] $Id + [string] $Task + [hashtable[]] $Constraints + [scriptblock] $Test +} + +enum AuditInfoStatus { + True + False + Warning + None + Error +} + +class AuditInfo { + [string] $Id + [string] $Task + [AuditInfoStatus] $Status + [string] $Message +} + +class ReportSection { + [string] $Title + [string] $Description + [AuditInfo[]] $AuditInfos + [ReportSection[]] $SubSections +} + +class Report { + [string] $Title + [string] $ModuleName + [string] $AuditorVersion + [hashtable] $HostInformation + [string[]] $BasedOn + [ReportSection[]] $Sections + [RSFullReport] $RSReport + [FoundationReport] $FoundationReport +} + + +################################################### +####### SYSTEM INFORMATION Classes ########## +################################################### +class SystemInformation { + [SoftwareInformation] $SoftwareInformation + [HardwareInformation] $HardwareInformation +} + +class SoftwareInformation { + [string] $Hostname + [string] $SystemUptime + [string] $OperatingSystem + [string] $BuildNumber + [string] $OSArchitecture + [string] $LicenseStatus + [string] $InstallationLanguage + [string] $DomainRole + [string] $KernelVersion +} + +class HardwareInformation { + [string] $SystemManufacturer + [string] $SystemSKU + [string] $SystemModel + [string] $SystemSerialnumber + [string] $BiosVersion + [string] $FreeDiskSpace + [string] $FreePhysicalMemory +} +### Begin Foundation Classes ### +class FoundationReport { + [ReportSection[]] $Sections +} +### End Foundation Classes + +# RiskScore Classes +enum RSEndResult { + Critical + High + Medium + Low + Unknown +} + +class RSFullReport { + [RSSeverityReport] $RSSeverityReport + [RSQuantityReport] $RSQuantityReport +} + +class RSSeverityReport { + [AuditInfo[]] $AuditInfos + [ResultTable[]] $ResultTable + [RSEndResult] $Endresult +} + +class RSQuantityReport { + +} + +class ResultTable { + [int] $Success + [int] $Failed +} + +#endregion + +#region helpers +function IsIn-FullLanguageMode { + try { + $languageMode = $ExecutionContext.SessionState.LanguageMode + if ($languageMode -eq "FullLanguage") { + return $true + } + } + catch { + return $false + } + # returns alternate language modes if not FullLanguage + return $languageMode +} + +function Start-ModuleTest { + $moduleList = @(Get-Module -ListAvailable).Name | Select-Object -Unique + $necessaryModules = @( + "Microsoft.PowerShell.LocalAccounts", + "Microsoft.PowerShell.Management", + "Microsoft.PowerShell.Security", + "Microsoft.PowerShell.Utility", + "TrustedPlatformModule", + "NetSecurity", + "CimCmdlets", + "SmbShare", + "Defender", + "DISM" + #Modules only necessary for specific server tests + #"IISAdministration", + #"SQLServer", + ) + $missingModules = @() + foreach ($module in $necessaryModules) { + if ($moduleList -notcontains $module) { + $missingModules += $module + } + } + if ($missingModules.Count -gt 0) { + Write-Warning "Missing module(s) found. Missing modules can lead to errors. Following modules are missing:" + for ($i = 0; $i -lt $missingModules.Count; $i++) { + Write-Warning $missingModules[$i] + } + Write-Warning "Check out this link on how to install modules: https://learn.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershellget-3.x" + } + +} + +function Get-LicenseStatus { + param( + $SkipLicenseCheck + ) + if ($LicenseStatusCache) { + return $LicenseStatusCache + } + + if ($SkipLicenseCheck -eq $true) { + $LicenseStatusCache = "License check has been skipped." + return $LicenseStatusCache + } + + Write-Host "Checking operating system activation status. This may take a while..." + $license = Get-CimInstance SoftwareLicensingProduct -Filter "Name like 'Windows%'" | Where-Object { $_.PartialProductKey } | Select-Object -First 1 + $LicenseStatusCache = switch ($license.LicenseStatus) { + "0" { "Unlicensed" } + "1" { "Licensed" } + "2" { "OOBGrace" } + "3" { "OOTGrace" } + "4" { "NonGenuineGrace" } + "5" { "Notification" } + "6" { "ExtendedGrace" } + } + return $LicenseStatusCache +} + +function IsIIS10Executable { + if ((Get-Module -ListAvailable IISAdministration) -eq $null) { + return $false + } + return $true +} + +function Test-ArrayEqual { + [OutputType([bool])] + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [AllowNull()] + [AllowEmptyCollection()] + [array] + $Array1, + + [Parameter(Mandatory = $true)] + [AllowNull()] + [AllowEmptyCollection()] + [array] + $Array2 + ) + + if ($null -eq $Array1) { + $Array1 = @() + } + + if ($null -eq $Array2) { + $Array2 = @() + } + + if ($Array1.Count -ne $Array2.Count) { + return $false + } + + foreach ($a in $Array1) { + if ($a -notin $Array2) { + return $false + } + } + return $true +} + +# Get domain role +# 0 {"Standalone Workstation"} +# 1 {"Member Workstation"} +# 2 {"Standalone Server"} +# 3 {"Member Server"} +# 4 {"Backup Domain Controller"} +# 5 {"Primary Domain Controller"} +function Get-DomainRole { + $domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole + switch ($domainRole) { + 0 { $result = "Standalone Workstation" } + 1 { $result = "Member Workstation" } + 2 { $result = "Standalone Server" } + 3 { $result = "Member Server" } + 4 { $result = "Backup Domain Controller" } + 5 { $result = "Primary Domain Controller" } + } + return $result +} + +function checkReportNameWithOSSystem { + [CmdletBinding()] + param ( + [Parameter()] + [string] + $ReportName + ) + # helpers + function handleReportNameDiscrepancy { + param ( + [Parameter()] + [string] + $ReportName, + [Parameter()] + [string] + $OsName, + [Parameter()] + [bool] + $ShouldBeStandAlone = $False + ) + if ($ShouldBeStandAlone -eq $True) { + Write-Host "You chose the Reportname $ReportName but the operating system is domain-joined. Be aware that a different report type could affect the result." + } + else { + Write-Host "You chose the Reportname $ReportName but the operating system is $OsName. Be aware that a different report type could affect the result." + } + Write-Host "" + Write-Host "Choose one of the following options:" + Write-Host "[1] Continue [2] Exit Script" -ForegroundColor Yellow + $in = Read-Host + switch ($in) { + 1 { + Write-Host "You chose to continue" + return $ReportName + } + 2 { + Write-Host "You chose to exit the script" + return "Exit" + } + default { + Write-Host "Your input was invalid, call Save-ATAPHtmlReport again with your desired report" + return "Exit" + } + } + } + function returnSuitingReportName { + [CmdletBinding()] + param ( + [Parameter()] + [string] + $ReportName, + [Parameter()] + [string] + $OsName, + [Parameter()] + [string] + $OsType, + [Parameter()] + [bool] + $ShouldBeStandAlone = $False + ) + + ### + # similarity check + function isOsNameSimilarToType { + [CmdletBinding()] + param ( + [Parameter()] + [string] + $OsName, + [Parameter()] + [string] + $OsType + ) + if ($OsName -match $OsType) { + return $true + } + return $false + } + if (-not(isOsNameSimilarToType -OsName $osName -OsType $osType)) { + return handleReportNameDiscrepancy -ReportName $ReportName -OsName $osName + } + + ### + # should be standalone + if ($ShouldBeStandAlone -eq $True) { + function IsDomainedJoined { + if ((Get-CimInstance win32_computersystem).partofdomain) { + return $true + } + return $false + } + $isDomainJoined = IsDomainedJoined + if ($isDomainJoined -eq $True) { + return handleReportNameDiscrepancy -ReportName $ReportName -OsName $osName -ShouldBeStandAlone $True + } + } + return $ReportName + } + #helpers end + try { + $osName = (Get-ComputerInfo OsName).OsName + if ([string]::IsNullOrEmpty($osName)) { + return $ReportName # return initial ReportName and skip comparison + } + function Get-OsType { + switch ($ReportName) { + "Microsoft Windows Server 2025" { return "Microsoft Windows Server 2025" } + "Microsoft Windows Server 2022" { return "Microsoft Windows Server 2022" } + "Microsoft Windows Server 2019" { return "Microsoft Windows Server 2019" } + "Microsoft Windows Server 2016" { return "Microsoft Windows Server 2016" } + "Microsoft Windows Server 2012" { return "Microsoft Windows Server 2012" } + "Microsoft Windows 11" { return "Microsoft Windows 11" } + "Microsoft Windows 11 Stand-alone" { return "Microsoft Windows 11" } + "Microsoft Windows 10" { return "Microsoft Windows 10" } + "Microsoft Windows 10 Stand-alone" { return "Microsoft Windows 10" } + "Microsoft Windows 10 GDPR" { return "Microsoft Windows 10" } + "Microsoft Windows 10 BSI" { return "Microsoft Windows 10" } + "Microsoft Windows 7" { return "Microsoft Windows 7" } + } + } + $osType = Get-OsType + switch ($ReportName) { + "Microsoft Windows Server 2025" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows Server 2022" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows Server 2019" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows Server 2016" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows Server 2012" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows 11" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows 11 Stand-alone" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType -ShouldBeStandAlone $True + } + "Microsoft Windows 10" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows 10 Stand-alone" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType -ShouldBeStandAlone $True + } + "Microsoft Windows 10 GDPR" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows 10 BSI" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + "Microsoft Windows 7" { + return returnSuitingReportName -ReportName $ReportName -OsName $osName -OsType $osType + } + } + return $ReportName + } + catch { + return $ReportName + } + +} + +### begin Foundation functions ### +function Get-FoundationReport { + [CmdletBinding()] + [OutputType([FoundationReport])] + + $Sections = @( + [ReportSection] @{ + Title = "Security Base Data" + SubSections = @( + [ReportSection] @{ + Title = 'Platform Security' + AuditInfos = Test-AuditGroup "SBD - Platform Security" + } + [ReportSection] @{ + Title = 'Windows Base Security' + AuditInfos = Test-AuditGroup "SBD - Windows Base Security" + } + [ReportSection] @{ + Title = 'PowerShell Security' + AuditInfos = Test-AuditGroup "SBD - PowerShell Security" + } + [ReportSection] @{ + Title = 'Connectivity Security' + AuditInfos = Test-AuditGroup "SBD - Connectivity Security" + } + [ReportSection] @{ + Title = 'Application Control' + AuditInfos = Test-AuditGroup "SBD - Application Control" + } + ) + } + ) + + return ([FoundationReport]@{ + Sections = $Sections + }) +} + + +# region for RiskScore functions +# function that calls all RiskScore-Subfunctions and generates the RSFullReport +function Get-RSFullReport { + [CmdletBinding()] + [OutputType([RSFullReport])] + + $severity = Get-RSSeverityReport + + + return ([RSFullReport]@{ + RSSeverityReport = $severity + }) +} +# function to generate RiskSeverityReport +function Get-RSSeverityReport { + [CmdletBinding()] + [OutputType([RSSeverityReport])] + + # Initialization + [AuditInfo[]]$tests = Test-AuditGroup "RSSeverityTests" + + # gather results of tests and save it in resultTable + $resultTable = [ResultTable]::new() + foreach ($test in $tests) { + if ($test.AuditInfoStatus -EQ "True") { + $resultTable.Success += 1 + } + if ($test.AuditInfostatus -ne "True") { + $resultTable.Failed += 1 + } + } + + return ([RSSeverityReport]@{ + AuditInfos = $tests + ResultTable = $resultTable + Endresult = Get-RSSeverityEndResult($resultTable) + }) +} + +# helper for EndResult of RiskScoreSeverity +function Get-RSSeverityEndResult { + [CmdletBinding()] + [OutputType([RSEndResult])] + + param ( + [Parameter(Mandatory = $true)] + [ResultTable[]] + $resultTable + ) + + $result = "Unknown" + + $f = $resultTable.Failed + if ($f -eq 0) { + $result = "Low" + } + if ($f -ge 1) { + $result = "Critical" + } + return $result +} + +#endregion + +<# +.SYNOPSIS + Tests a single AuditGroup. +.DESCRIPTION + This cmdlet tests a single AuditGroup from folder "AuditGroups". All tests are printed on the console. Can be combined to create own report. +.EXAMPLE + PS C:\> Test-AuditGroup "Google Chrome-CIS-2.0.0#RegistrySettings" + This runs tests defined in the AuditGroup file called 'Google Chrome-CIS-2.0.0#RegistrySettings'. +.PARAMETER GroupName + The name of the AuditGroup. +#> +function Test-AuditGroup { + [CmdletBinding()] + [OutputType([AuditInfo[]])] + param( + [Parameter(Mandatory = $true)] + [string] + $GroupName + ) + + #Windows OS + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + $tests = . "$RootPath\AuditGroups\$($GroupName).ps1" + } + #Linux OS + else { + $tests = . "$RootPath/AuditGroups/$($GroupName).ps1" + } + + + $i = 1 + foreach ($test in $tests) { + [int]$p = $i++ / $tests.Count * 100 + Write-Progress -Activity "Testing Report for '$GroupName'" -Status "Progress:" -PercentComplete $p + Write-Verbose "Testing $($test.Id)" + $message = "Test not implemented yet." + $status = [AuditInfoStatus]::None + #if audit test contains datatype "Constraints", proceed + if ($test.Constraints) { + $DomainRoleConstraint = $test.Constraints | Where-Object Property -EQ "DomainRole" + #get domain role of system + $currentRole = Get-DomainRole + #get domain roles, which are listed in AuditTest + $domainRoles = $DomainRoleConstraint.Values + if ($currentRole -notin $domainRoles) { + $roleValue = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole + switch ($roleValue) { + 0 { + $message = 'Not applicable. This audit does not apply to Standalone Workstation.' + $status = [AuditInfoStatus]::None + } + 1 { + $message = 'Not applicable. This audit does not apply to Member Workstation.' + $status = [AuditInfoStatus]::None + } + 2 { + $message = 'Not applicable. This audit does not apply to Standalone Server.' + $status = [AuditInfoStatus]::None + } + 3 { + $message = 'Not applicable. This audit does not apply to Member Server.' + $status = [AuditInfoStatus]::None + } + 4 { + $message = 'Not applicable. This audit does not apply to Backup Domain Controller.' + $status = [AuditInfoStatus]::None + } + 5 { + $message = 'Not applicable. This audit does not apply to Primary Domain Controller.' + $status = [AuditInfoStatus]::None + } + } + Write-Output ([AuditInfo]@{ + Id = $test.Id + Task = $test.Task + Message = $message + Status = $status + }) + continue + } + } + + #Windows OS + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + $role = Get-Wmiobject -Class 'Win32_computersystem' -ComputerName $env:computername | Select-Object domainrole + if ($test.Task -match "(DC only)") { + if ($role.domainRole -ne 4 -and $role.domainRole -ne 5) { + $message = 'Not applicable. This audit does not apply to Member Server systems.' + $status = [AuditInfoStatus]::None + Write-Output ([AuditInfo]@{ + Id = $test.Id + Task = $test.Task + Message = $message + Status = $status + }) + continue + } + } + } + try { + $innerResult = & $test.Test + + if ($null -ne $innerResult) { + $message = $innerResult.Message + $status = [AuditInfoStatus]$innerResult.Status + } + } + catch { + Write-Error $_ + $message = "An error occured!" + $status = [AuditInfoStatus]::Error + } + + Write-Output ([AuditInfo]@{ + Id = $test.Id + Task = $test.Task + Message = $message + Status = $status + }) + } +} + +<# +.SYNOPSIS + Get an audit resource. +.DESCRIPTION + A resource provides abstration over an existing system resource. It is used by AuditTests. +.PARAMETER Name + The name of the resource. +.EXAMPLE + PS C:\> Get-AuditResource -Name "WindowsSecurityPolicy" + Gets the WindowsSecurityPolicy resource. +#> +function Get-AuditResource { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [string] + $Name + ) + #Windows OS + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + if ($null -eq $script:loadedResources) { + return & "$RootPath\Resources\$($Name).ps1" + } + if (-not $script:loadedResources.ContainsKey($Name)) { + $script:loadedResources[$Name] = (& "$RootPath\Resources\$($Name).ps1") + } + } + #Linuxs OS + else { + if ($null -eq $script:loadedResources) { + return & "$RootPath/Resources/$($Name).ps1" + } + if (-not $script:loadedResources.ContainsKey($Name)) { + $script:loadedResources[$Name] = (& "$RootPath/Resources/$($Name).ps1") + } + } + return $script:loadedResources[$Name] +} + +<# +.SYNOPSIS + Get all reports. +.DESCRIPTION + Find the reports installed on the system. +.PARAMETER ReportName + The name of the report. +.EXAMPLE + PS C:\> Get-ATAPReport + Gets all reports. +#> +function Get-ATAPReport { + [CmdletBinding()] + param ( + [Parameter()] + [string] + $ReportName = "*" + ) + #Windows OS + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + return Get-ChildItem "$RootPath\Reports\$ReportName.ps1" | Select-Object -Property BaseName + } + #Linux OS + return Get-ChildItem "$RootPath/Reports/$ReportName.ps1" | Select-Object -Property BaseName +} + +<# +.SYNOPSIS + Invokes an ATAPReport +.DESCRIPTION + Long description +.EXAMPLE + PS C:\> ATAPReport -ReportName "Google Chrome" + This runs the report and outputs the logical report data. +.PARAMETER ReportName + The name of the report. +.OUTPUTS + Logical report data. +#> +function Invoke-ATAPReport { + [CmdletBinding()] + param ( + [Alias('RN')] + [Parameter(Mandatory = $true)] + [string] + $ReportName + ) + + $script:loadedResources = @{} + # Load the module manifest + + #Windows OS + try { + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + $moduleInfo = Import-PowerShellDataFile -Path "$RootPath\ATAPAuditor.psd1" + [string]$ReportName = checkReportNameWithOSSystem -ReportName $ReportName + try { + if ($ReportName -eq "Exit") { + throw + } + } + catch { + Write-Host "Script halted: Exiting..." + break + } + [Report]$report = (& "$RootPath\Reports\$ReportName.ps1") + $report.RSReport = Get-RSFullReport + $report.FoundationReport = Get-FoundationReport + } + #Linux OS + else { + $moduleInfo = Import-PowerShellDataFile -Path "$RootPath/ATAPAuditor.psd1" + [Report]$report = (& "$RootPath/Reports/$ReportName.ps1") + } + } + catch [System.Management.Automation.CommandNotFoundException] { + Write-Host "Either your input for -Reportname is faulty or the report does not resolve due to a bug. Please report this bug with the following errormessage: + 1. ErrorException: $_ + 2. PositionMessage: $($_.InvocationInfo.PositionMessage) + 3. ReportName: $ReportName" + break + } + $report.AuditorVersion = $moduleInfo.ModuleVersion + return $report +} + +<# +.SYNOPSIS + The Audit Test Automation Package creates transparents reports about hardening compliance status +.DESCRIPTION + The Audit Test Automation Package gives you the ability to get an overview about the compliance status of several systems. + You can easily create HTML-reports and have a transparent overview over compliance and non-compliance of explicit setttings + and configurations in comparison to industry standards and hardening guides. +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows 10 Complete" -RiskScore -Path C:\Temp\report.html + This runs the 'Microsoft Windows 10 Complete' report, adding RiskScore to it and stores the resulting html file under C:\Temp using the file name report.html +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows 10 BSI" -RiskScore -Path C:\Temp + This runs the 'Microsoft Windows 10 BSI' report, adding RiskScore to it and stores the resulting html file under C:\Temp using the standard naming convention for file names .html +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Microsoft Windows Server 2022" -Path C:\Temp + This runs the 'Microsoft Windows Server 2022' report, without adding RiskScore to it and stores the resulting html file under C:\Temp using the standard naming convention for file names .html +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Google Chrome" + This runs the 'Google Chrome' report and stores the resulting html file (by default) under ~\Documents\ATAPReports +.EXAMPLE + PS C:\> Save-ATAPHtmlReport -ReportName "Ubuntu 20.04" + This runs the 'Ubuntu 20.04' report and stores the resulting html file (by default) under ~\Documents\ATAPReports +.PARAMETER ReportName + Determine, which OS shall be tested. +.PARAMETER Path + The path where the result html document should be stored. +.PARAMETER RiskScore + Add a RiskScore-Matrix to report (works only on Windows OS) +.PARAMETER MITRE + Add a MITRE ATT&CK headmap to report (works only on Windows OS) +.PARAMETER Force + If the parent directory doesn't exist it will be created. +.OUTPUTS + None. +#> +function Save-ATAPHtmlReport { + [CmdletBinding()] + param( + [Alias('RN')] + [Parameter(Mandatory = $true)] + [string] + $ReportName, + + [Parameter(Mandatory = $false)] + [string] + $Path = ($script:atapReportsPath | Join-Path -ChildPath "$($ReportName)_$(Get-Date -UFormat %Y%m%d_%H%M%S).html"), + + [Parameter(Mandatory = $false)] + [switch] + $RiskScore, + + [Parameter(Mandatory = $false)] + [switch] + $SkipLicenseCheck, + # [Parameter(Mandatory = $false)] + # [switch] + # $MITRE, + + [Parameter()] + [switch] + $Force + ) + + if ([Environment]::Is64BitProcess -eq $false) { + Write-Host "Please use 64-bit version of PowerShell in order to use AuditTAP. Closing..." -ForegroundColor red + return; + } + + if (($languagemode = IsIn-FullLanguageMode) -ne $true) { + if ($languagemode -eq $false) { + Write-Host "The current language mode could not be determined. Ensure that AuditTAP is run in `"FullLanguage`" mode. For further information, contact your administrator. Closing..." -ForegroundColor red + } + else { + Write-Host "The current language mode is `"$languagemode`". Ensure that AuditTAP is run in `"FullLanguage`" mode. For further information, contact your administrator. Closing..." -ForegroundColor red + } + return + } + + $parent = $path + if ($Path -match ".html") { + $parent = Split-Path -Path $Path + } + + #if input path is not default one + if ($parent -ne $script:atapReportsPath) { + $pathCheck = Test-Path -Path $parent -PathType Container + #if path doesn't exist + if ($pathCheck -eq $False) { + if (-not [string]::IsNullOrEmpty($parent) -and -not (Test-Path $parent)) { + New-Item -ItemType Directory -Path $parent -Force | Out-Null + Write-Warning "Could not find Path. Path will be created: $parent" + } + else { + Write-Warning "Could not find Path. Report will be created inside default path: $($script:atapReportsPath)" + $Path = $($script:atapReportsPath) + } + } + } + Write-Verbose "OS-Check" + $isUnix = [System.Environment]::OSVersion.Platform -eq 'Unix' + if ($isUnix) { + [SystemInformation] $SystemInformation = (& "$PSScriptRoot\Helpers\ReportUnixOS.ps1") + } + else { + [SystemInformation] $SystemInformation = (& "$PSScriptRoot\Helpers\ReportWindowsOS.ps1") + Start-ModuleTest + if ($ReportName -eq "Microsoft IIS10") { + $isIIS10Executable = IsIIS10Executable + if ($isIIS10Executable -eq $false) { + Write-Warning "IIS10 Report not executable! IISAdministration module not available. Please install this module and try again. Exiting..." + return; + } + } + Write-Verbose "PS-Check" + $psVersion = $PSVersionTable.PSVersion + #PowerShell Major version not 5.* + if (($psVersion.Major -ne 5)) { + Write-Warning "ATAPAuditor is only compatible with PowerShell Version 5.1. Your version is $psVersion. Please open a PowerShell Version 5.1 session to continue!" + return; + } + #PowerShell version not 5.1 + if (($psVersion.Major -eq 5) -and ($psVersion.Minor -eq 0)) { + Write-Warning "ATAPAuditor is only compatible with PowerShell Version 5.1. Your version is $psVersion. You need to upgrade to a higher Windows version!" + return; + } + } + + $report = Invoke-ATAPReport -ReportName $ReportName + #hashes for each recommendation + if (!$isUnix) { + $SystemInformation.SoftwareInformation.LicenseStatus = Get-LicenseStatus $SkipLicenseCheck + } + $hashtable_sha256 = GenerateHashTable $report + + $report | Get-ATAPHtmlReport -Path $Path -RiskScore:$RiskScore -MITRE:$MITRE -hashtable_sha256:$hashtable_sha256 -LicenseStatus:$LicenseStatus -SystemInformation:$SystemInformation +} + +New-Alias -Name 'shr' -Value Save-ATAPHtmlReport + +$completer = { + param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters) + + Get-ChildItem "$RootPath\Reports\*.ps1" ` + | Select-Object -ExpandProperty BaseName ` + | ForEach-Object { "`"$_`"" } ` + | Where-Object { $_ -like "*$wordToComplete*" } +}.GetNewClosure() + +Register-ArgumentCompleter -CommandName Save-ATAPHtmlReport -ParameterName ReportName -ScriptBlock $completer +Register-ArgumentCompleter -CommandName shr -ParameterName ReportName -ScriptBlock $completer diff --git a/ATAPAuditor/AuditGroups/CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings.ps1 new file mode 100644 index 0000000..ac75b3a --- /dev/null +++ b/ATAPAuditor/AuditGroups/CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings.ps1 @@ -0,0 +1,1852 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$listOfWeakCipherSuites = getListOfWeakCipherSuites +$listOfInsecureCipherSuites = getListOfInsecureCipherSuites +[AuditTest] @{ + Id = "1.1 A" + Task = "Disable SSLv2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1 B" + Task = "Disable SSLv2 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1 C" + Task = "Disable SSLv2 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1 D" + Task = "Disable SSLv2 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2 A" + Task = "Disable SSLv3 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + $OS = Get-CimInstance Win32_OperatingSystem + if($OS.Caption -match "Server 2012 R2"){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2 B" + Task = "Disable SSLv3 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + $OS = Get-CimInstance Win32_OperatingSystem + if($OS.Caption -match "Server 2012 R2"){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2 C" + Task = "Disable SSLv3 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + $OS = Get-CimInstance Win32_OperatingSystem + if($OS.Caption -match "Server 2012 R2"){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2 D" + Task = "Disable SSLv3 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + $OS = Get-CimInstance Win32_OperatingSystem + if($OS.Caption -match "Server 2012 R2"){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3 A" + Task = "Disable TLS1.0 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3 B" + Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3 C" + Task = "Disable TLS1.0 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3 D" + Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4 A" + Task = "Disable TLS1.1 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4 B" + Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4 C" + Task = "Disable TLS1.1 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4 D" + Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5 A" + Task = "Enable TLS1.2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5 B" + Task = "Enable TLS1.2 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5 C" + Task = "Enable TLS1.2 Protocol (Client)" + Test = { + $OS = Get-CimInstance Win32_OperatingSystem | Select-Object Caption + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5 D" + Task = "Enable TLS1.2 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6 A" + Task = "Enable TLS1.3 Protocol (Server)" + Test = { + try{ + $OS = (Get-CimInstance Win32_OperatingSystem).Caption + if($OS -notmatch "Server 2022" -and $OS -notmatch "Windows 11"){ + return @{ + Message = "OS currently not supported. For more information check out this link: TLS protocol version support" + Status = "None" + } + } + } + catch{ + return @{ + Message = "Test not successful. Cmdlet not found 'Get-CimInstance'. " + Status = "None" + } + } + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "PowerShell cmdlet not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6 B" + Task = "Enable TLS1.3 Protocol (Server DisabledByDefault)" + Test = { + try{ + $OS = (Get-CimInstance Win32_OperatingSystem).Caption + if($OS -notmatch "Server 2022" -and $OS -notmatch "Windows 11"){ + return @{ + Message = "OS currently not supported. For more information check out this link: TLS protocol version support" + Status = "None" + } + } + } + catch{ + return @{ + Message = "Test not successful. Cmdlet not found 'Get-CimInstance'. " + Status = "None" + } + } + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "PowerShell cmdlet not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6 C" + Task = "Enable TLS1.3 Protocol (Client)" + Test = { + try{ + $OS = (Get-CimInstance Win32_OperatingSystem).Caption + if($OS -notmatch "Server 2022" -and $OS -notmatch "Windows 11"){ + return @{ + Message = "OS currently not supported. For more information check out this link: TLS protocol version support" + Status = "None" + } + } + } + catch{ + return @{ + Message = "Test not successful. Cmdlet not found 'Get-CimInstance'. " + Status = "None" + } + } + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "PowerShell cmdlet not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6 D" + Task = "Enable TLS1.3 Protocol (Client DisabledByDefault)" + Test = { + try{ + $OS = (Get-CimInstance Win32_OperatingSystem).Caption + if($OS -notmatch "Server 2022" -and $OS -notmatch "Windows 11"){ + return @{ + Message = "OS currently not supported. For more information check out this link: TLS protocol version support" + Status = "None" + } + } + } + catch{ + return @{ + Message = "Test not successful. Cmdlet not found 'Get-CimInstance'. " + Status = "None" + } + } + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "PowerShell cmdlet not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Disable NULL Cipher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "Disable DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4 A" + Task = "Disable RC4 Cipher Suite - 40/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4 B" + Task = "Disable RC4 Cipher Suite - 56/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4 C" + Task = "Disable RC4 Cipher Suite - 64/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4 D" + Task = "Disable RC4 Cipher Suite - 128/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "Disable AES 128/128 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6" + Task = "Disable Triple DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.7" + Task = "Enable AES 256/256 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "Configure Cipher Suite Ordering" + Test = { + #check if correct type + $typeTable = @{ + "String" = "String Value" + "Byte" = "Byte Value" + "Int32" = "DWORD (32-bit) Value" + "Int64" = "QWORD (64-bit) Value" + "String[]" = "Multi-String Value" + } + #Default status + $status = "Error" + + #Output + $verbInsecure = "rules have" + $verbWeak = "rules have" + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + + $currentType = $typeTable[$res] + if ($res -ne [String]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue.Split(',') + $regValues = $regValues -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + + if ($regValue -ne $reference) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + $currentType = $typeTable[$res] + if ($res -ne [String[]]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + + if ($regValue -ne $reference) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1" + Task = "Disable SHA-1 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.2" + Task = "Disable MD5 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1 A" + Task = "Enable .Net Strong Crypto v2.0.50727 SystemDefaultTlsVersions 32 Bit on 64 Bit System" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" ` + -Name "SystemDefaultTlsVersions" ` + | Select-Object -ExpandProperty "SystemDefaultTlsVersions" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1 B" + Task = "Enable .Net Strong Crypto v2.0.50727 SchUseStrongCrypto 32 Bit on 64 Bit System" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" ` + -Name "SchUseStrongCrypto" ` + | Select-Object -ExpandProperty "SchUseStrongCrypto" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1 C" + Task = "Enable .Net Strong Crypto v2.0.50727 SystemDefaultTlsVersions" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" ` + -Name "SystemDefaultTlsVersions" ` + | Select-Object -ExpandProperty "SystemDefaultTlsVersions" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1 D" + Task = "Enable .Net Strong Crypto v2.0.50727 SchUseStrongCrypto" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" ` + -Name "SchUseStrongCrypto" ` + | Select-Object -ExpandProperty "SchUseStrongCrypto" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2 A" + Task = "Enable .Net Strong Crypto v4.0.30319 SystemDefaultTlsVersions 32 Bit on 64 Bit System" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" ` + -Name "SystemDefaultTlsVersions" ` + | Select-Object -ExpandProperty "SystemDefaultTlsVersions" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2 B" + Task = "Enable .Net Strong Crypto v4.0.30319 SchUseStrongCrypto 32 Bit on 64 Bit System" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" ` + -Name "SchUseStrongCrypto" ` + | Select-Object -ExpandProperty "SchUseStrongCrypto" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2 C" + Task = "Enable .Net Strong Crypto v4.0.30319 SystemDefaultTlsVersions" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" ` + -Name "SystemDefaultTlsVersions" ` + | Select-Object -ExpandProperty "SystemDefaultTlsVersions" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2 D" + Task = "Enable .Net Strong Crypto v4.0.30319 SchUseStrongCrypto" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" ` + -Name "SchUseStrongCrypto" ` + | Select-Object -ExpandProperty "SchUseStrongCrypto" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Debian Linux 11-CIS-1.0.0.ps1 b/ATAPAuditor/AuditGroups/Debian Linux 11-CIS-1.0.0.ps1 new file mode 100644 index 0000000..93cecca --- /dev/null +++ b/ATAPAuditor/AuditGroups/Debian Linux 11-CIS-1.0.0.ps1 @@ -0,0 +1,5295 @@ +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure mounting of cramfs filesystems is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure mounting of squashfs filesystems is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure mounting of udf filesystems is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.2.1" + Task = "Ensure /tmp is a separate partition" + Test = { + $result = findmnt --kernel /tmp + if ($result -match "/tmp") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.2.2" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep nodev + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.2.3" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep noexec + if ($result -match "noexec") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.2.4" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep nosuid + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.3.1" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt --kernel /var + if ($result -match "/var") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.3.2" + Task = "Ensure nodev option set on /var partition" + Test = { + $result = findmnt --kernel /var + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.3.3" + Task = "Ensure nosuid option set on /var partition" + Test = { + $result = findmnt --kernel /var + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.4.1" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt --kernel /var/tmp + if ($result -match "/var/tmp") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.4.2" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "noexec") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.4.3" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.4.4" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.5.1" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt --kernel /var/log + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "/var/log") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.5.2" + Task = "Ensure nodev option set on /var/log partition" + Test = { + $result = findmnt --kernel /var/log + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.5.3" + Task = "Ensure noexec option set on /var/log partition" + Test = { + $result = findmnt --kernel /var/log + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "noexec") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.5.4" + Task = "Ensure nosuid option set on /var/log partition" + Test = { + $result = findmnt --kernel /var/log + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.6.1" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit + if ($result -match "/var/log/audit") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.6.2" + Task = "Ensure noexec option set on /var/log/audit partition" + Test = { + $result = findmnt --kernel /var/log/audit + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "noexec") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.6.3" + Task = "Ensure nodev option set on /var/log/audit partition" + Test = { + $result = findmnt --kernel /var/log/audit + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.6.4" + Task = "Ensure nosuid option set on /var/log/audit partition" + Test = { + $result = findmnt --kernel /var/log/audit + + # if no separate partition, at least the flag is set + if ($result -eq $null) { + $result = findmnt --kernel /var + } + + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.7.1" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt --kernel /home + if ($result -match "/home") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.7.2" + Task = "Ensure nodev option set on /home partition" + Test = { + $result = findmnt --kernel /home + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.7.3" + Task = "Ensure nosuid option set on /home partition" + Test = { + $result = findmnt --kernel /home + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.8.1" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $result = findmnt --kernel /dev/shm | grep nodev + if ($result -match "nodev") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.8.2" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $result = findmnt --kernel /dev/shm | grep noexec + if ($result -match "noexec") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.8.3" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $result = findmnt --kernel /dev/shm | grep nosuid + if ($result -match "nosuid") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.9" + Task = "Disable Automounting" + Test = { + $result1 = systemctl is-enabled autofs + $status = $? + # error occurs when autofs is not installed, that is compliant, too + if ($status -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + if ($result1 -match "Failed" -and ($result1 -match "Failed" -or $result1 -match "disabled")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.10" + Task = "Disable USB Storage" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "Ensure package manager repositories are configured" + Test = { + $result = apt-cache policy + if ($result -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "Ensure GPG keys are configured" + Test = { + $result = apt-key list + if ($result -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.3.1" + Task = "Ensure AIDE is installed" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' aide aide-common + if ($result -match "install ok installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.3.2" + Task = "Ensure filesystem integrity is regularly checked" + Test = { + $result = grep -Prs '^([^#\n\r]+\h+)?(\/usr\/s?bin\/|^\h*)aide(\.wrapper)?\h+(--check|([^#\n\r]+\h+)?\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/ + if ($result -match "install ok installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure bootloader password is set" + Test = { + $result1 = grep "^set superusers" /boot/grub/grub.cfg + $result2 = grep "^password" /boot/grub/grub.cfg + + if ($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure permissions on bootloader config are configured" + Test = { + $test1 = stat /boot/grub/grub.cfg | grep 0400 + if ($test1 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.3" + Task = "Ensure authentication required for single user mode" + Test = { + $command = @' +grep -Eq '^root:\$(y|[0-9])' /etc/shadow || echo 'root is locked' +'@ + $result = bash -c $command + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure address space layout randomization (ASLR) is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure prelink is not installed" + Test = { + $result = dpkg -l | grep -o prelink + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure Automatic Error Reporting is not enabled" + Test = { + $command = "dpkg-query -s apport > /dev/null 2>&1 && grep -Psi --'^\h*enabled\h*=\h*[^0]\b' /etc/default/apport" + $result1 = bash -c $command + $result2 = systemctl is-active apport.service | grep '^active' + if ($result1 -eq $null -and $result2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.4" + Task = "Ensure core dumps are restricted" + Test = { + try { + $result1 = grep -Es '^(\*|\s).*hard.*core.*(\s+#.*)?$' /etc/security/limits.conf /etc/security/limits.d/* + $result2 = sysctl fs.suid_dumpable + $result3 = grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/* + try { + $result4 = systemctl is-enabled coredump.service + $message = "Compliant" + if ($result4 -match "enabled" -or $result4 -match "masked" -or $result4 -match "disabled") { + $message = "systemd-coredump is installed" + } + } + catch { + $message = "systemd-coredump not installed" + } + if ($result1 -match ".*\s*hard\s*core\s*0{1}?\s*" -and $result2 -match "fs.suid_dumpable = 0" -and $result3 -match "fs.suid_dumpable = 0") { + return @{ + Message = $message + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "1.6.1.1" + Task = "Ensure AppArmor is installed" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' apparmor apparmor-utils + if ($result -match "apparmor\s+install ok installed\s+installed" -and $result -match "apparmor-utils\s+install ok installed\s+installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.2" + Task = "Ensure AppArmor is enabled in the bootloader configuration" + Test = { + $result1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1" + $result2 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "security=apparmor" + if ($result1 -eq $null -and $result2 -eq $null ) { + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.3" + Task = "Ensure all AppArmor Profiles are in enforce or complain mode" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + $profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1 + $result = expr $profileMode3 + $profileMode2 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if ($result -eq $profileMode1 -and $unconfinedProcesses -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.4" + Task = "Ensure all AppArmor Profiles are enforcing" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if ($profileMode1 -eq $profileMode2 -and $unconfinedProcesses -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure message of the day is configured properly" + Test = { + $output = grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd + + if ($output -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + + if ($output1 -ne $null -and $output2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue.net + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + + if ($output1 -ne $null -and $output2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure permissions on /etc/motd are configured" + Test = { + if (Test-Path /etc/motd) { + $test1 = stat /etc/motd | grep 0644 + if ($test1 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + else { + return @{ + Message = "motd not present" + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure permissions on /etc/issue are configured" + Test = { + $output = stat -L /etc/issue | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + + if ($output -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.1" + Task = "Ensure GNOME Display Manager is removed" + Test = { + $test = dpkg -l | grep "^ii" | grep -q "gdm3" + $output = $? + if ($output -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.2" + Task = "Ensure GDM login banner is configured" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.3" + Task = "Ensure GDM disable-user-list option is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.4" + Task = "Ensure GDM screen locks when the user is idle" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.5" + Task = "Ensure GDM screen locks cannot be overridden" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.6" + Task = "Ensure GDM automatic mounting of removable media is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.7" + Task = "Ensure GDM disabling automatic mounting of removable media is not overridden" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.8" + Task = "Ensure GDM autorun-never is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.9" + Task = "Ensure GDM autorun-never is not overridden" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.10" + Task = "Ensure XDCMP is not enabled" + Test = { + $output = grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm3/custom.conf + if ($output -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.9" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + $output = apt -s upgrade + $output = $? + if ($output -match "True") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.1.1" + Task = "Ensure a single time synchronization daemon is in use" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.2.1" + Task = "Ensure chrony is configured with authorized timeserver" + Test = { + $output = apt -s upgrade + $output = $? + if ($output -match "True") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.2.2" + Task = "Ensure chrony is running as user _chrony" + Test = { + $testchr = dpkg-query -s chrony + $statuschr = $? + if ($statuschr -match "True") { + $result = ps -ef | awk '(/[c]hronyd/ && $1!="_chrony") { print $1 }' + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "chrony not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.2.3" + Task = "Ensure chrony is enabled and running" + Test = { + $testchr = dpkg-query -s chrony + $statuschr = $? + if ($statuschr -match "True") { + $result1 = systemctl is-enabled chrony.service + $result2 = systemctl is-active chrony.service + if ($result1 -match "enabled" -and $result2 -match "active") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "chrony not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.3.1" + Task = "Ensure systemd-timesyncd configured with authorized timeserver" + Test = { + + $testtime = dpkg-query -s systemd-timesyncd + $statustime = $? + if ($statustime -match "True") { + $command = @' +find /etc/systemd -type f -name '*timesyncd*' -exec grep -Ehl '^NTP=|^FallbackNTP=' {} + +'@ + $test = bash -c $command + $status = $? + + if ($status -match "True") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "systemd-timesyncd not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.3.2" + Task = "Ensure systemd-timesyncd is enabled and running" + Test = { + $result1 = systemctl is-enabled systemd-timesyncd.service + $result2 = systemctl is-active systemd-timesyncd.service + if ($result1 -match "enabled" -and $result2 -match "active") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.4.1" + Task = "Ensure ntp access control is configured" + Test = { + $testntp = dpkg-query -s ntp + $statusntp = $? + + if ($statusntp -match "True") { + $result = grep -P -- '^\h*restrict\h+((-4\h+)?|-6\h+)default\h+(?:[^#\n\r]+\h+)*(?!(?:\2|\3|\4|\5))(\h*\bkod\b\h*|\h*\bnomodify\b\h*|\h*\bnotrap\b\h*|\h*\bnopeer\b\h*|\h*\bnoquery\b\h*)\h+(?:[^#\n\r]+\h+)*(?!(?:\1|\3|\4|\5))(\h*\bkod\b\h*|\h*\bnomodify\b\h*|\h*\bnotrap\b\h*|\h*\bnopeer\b\h*|\h*\bnoquery\b\h*)\h+(?:[^#\n\r]+\h+)*(?!(?:\1|\2|\4|\5))(\h*\bkod\b\h*|\h*\bnomodify\b\h*|\h*\bnotrap\b\h*|\h*\bnopeer\b\h*|\h*\bnoquery\b\h*)\h+(?:[^#\n\r]+\h+)*(?!(?:\1|\2|\3|\5))(\h*\bkod\b\h*|\h*\bnomodify\b\h*|\h*\bnotrap\b\h*|\h*\bnopeer\b\h*|\h*\bnoquery\b\h*)\h+(?:[^#\n\r]+\h+)*(?!(?:\1|\2|\3|\4))(\h*\bkod\b\h*|\h*\bnomodify\b\h*|\h*\bnotrap\b\h*|\h*\bnopeer\b\h*|\h*\bnoquery\b\h*)\h*(?:\h+\H+\h*)*(?:\h+#.*)?$' /etc/ntp.conf + $wordsToCheck = "default", "kod", "nomodify", "notrap", "nopeer", "noquery" + $pattern = "\b(" + ($wordsToCheck -join "|") + ")\b" + if ($result.Count -eq 2 -and $result[0] -match $pattern -and $result[1] -match $pattern) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "ntp not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.4.2" + Task = "Ensure ntp is configured with authorized timeserver" + Test = { + $testntp = dpkg-query -s ntp + $statusntp = $? + if ($statusntp -match "True") { + $result = grep -P -- '^\h*(server|pool)\h+\H+' /etc/ntp.conf + $wordsToCheck = "default", "kod", "nomodify", "notrap", "nopeer", "noquery" + $pattern = "\b(" + ($wordsToCheck -join "|") + ")\b" + if ($result.Count -eq 2 -and $result[0] -match $pattern -and $result[1] -match $pattern) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "ntp not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.4.3" + Task = "Ensure ntp is running as user ntp" + Test = { + $testntp = dpkg-query -s ntp + $statusntp = $? + if ($statusntp -match "True") { + $result1 = ps -ef | awk '(/[n]tpd/ && $1!="ntp") { print $1 }' + $result2 = grep -P -- '^\h*RUNASUSER=' /etc/init.d/ntp + if ($result1 -eq $null -and $result2 -eq "RUNASUSER=ntp") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "ntp not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.1.4.4" + Task = "Ensure ntp is enabled and running" + Test = { + $testntp = dpkg-query -s ntp + $statusntp = $? + if ($statusntp -match "True") { + $result1 = systemctl is-enabled ntp.service + $result2 = systemctl is-active ntp.service + if ($result1 -match "enabled" -and $result2 -match "active") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "ntp not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure X Window System is not installed" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' xserver-xorg* | grep -Pi '\h+installed\b' + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure Avahi Server is not installed" + Test = { + $test1 = dpkg -l | grep "^ii" | grep -q "avahi-daemon" + $test1 = $? + if ($test1 -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure CUPS is not installed" + Test = { + $result = dpkg-query -s cups + $status = $? + if ($status -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure DHCP Server is not installed" + Test = { + $result = dpkg -l | grep -o isc-dhcp-server + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure LDAP server is not installed" + Test = { + $result = dpkg -l | grep -o slapd + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure NFS is not installed" + Test = { + $result = dpkg -l | grep -o nfs-kernel-server + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "Ensure DNS Server is not installed" + Test = { + $result = dpkg -l | grep -E -w "^ii\s+bind9\s" + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "Ensure FTP Server is not installed" + Test = { + $result = dpkg -l | grep -o vsftpd + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "Ensure HTTP server is not installed" + Test = { + $result = dpkg -l | grep -E 'apache2\s' + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "Ensure IMAP and POP3 server are not installed" + Test = { + $result = dpkg -l | grep -o dovecot- + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "Ensure Samba is not installed" + Test = { + $result = dpkg-query -s samba + $status = $? + if ($status -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "Ensure HTTP Proxy Server is not installed" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' squid + if ($result -match "squid\s+unknown ok not-installed\s+not-installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "Ensure SNMP Server is not installed" + Test = { + $result = dpkg -l | grep -E 'snmpd\s' + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "Ensure NIS Server is not installed" + Test = { + $result = dpkg-query -s nis + $status = $? + if ($status -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $result = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "Ensure rsync service is either not installed or masked" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' rsync + if ($result -match "rsync\s+unknown ok not-installed\s+not-installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.1" + Task = "Ensure NIS Client is not installed" + Test = { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' nis + if ($result -match "nis\s+unknown ok not-installed\s+not-installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.2" + Task = "Ensure rsh client is not installed" + Test = { + $result = dpkg-query -s rsh-client + $status = $? + if ($status -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.3" + Task = "Ensure talk client is not installed" + Test = { + $test1 = dpkg -l | grep "^ii" | grep -q "talk" + $test1 = $? + if ($test1 -match "False") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.4" + Task = "Ensure telnet client is not installed" + Test = { + $test1 = dpkg -l | grep -o telnet + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.5" + Task = "Ensure LDAP client is not installed" + Test = { + $test1 = dpkg -l | grep -o ldap-utils + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3.6" + Task = "Ensure RPC is not installed" + Test = { + $test1 = dpkg -l | grep -o rpcbind + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "Ensure nonessential services are removed or masked" + Test = { + $test1 = lsof -i -P -n | grep -v "(ESTABLISHED)" + if ($test1 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "Ensure system is checked to determine if IPv6 is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.3" + Task = "Ensure DCCP is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.4" + Task = "Ensure SCTP is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.5" + Task = "Ensure RDS is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.6" + Task = "Ensure TIPC is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure packet redirect sending is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure IP forwarding is disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure source routed packets are not accepted" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure ICMP redirects are not accepted" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure secure ICMP redirects are not accepted" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure suspicious packets are logged" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure broadcast ICMP requests are ignored" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure bogus ICMP responses are ignored" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure Reverse Path Filtering is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure TCP SYN Cookies is enabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure IPv6 router advertisements are not accepted" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.1" + Task = "Ensure ufw is installed" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "False") { + $result = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' ufw + if ($result -match "ufw\s+install ok installeds\+installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "nftables installed instead " + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.1.2" + Task = "Ensure iptables-persistent is not installed with ufw" + Test = { + $testufw = dpkg-query -s ufw + $statusufw = $? + if ($statusufw -match "True") { + $test1 = dpkg -l | grep -o iptables-persistent + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.5.1.3" + Task = "Ensure ufw service is enabled" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + return @{ + Message = "nftables installed instead " + Status = "None" + } + } + $result1 = systemctl is-enabled ufw.service + $result2 = systemctl is-active ufw + $result3 = ufw status + + if ($result1 -match "enabled" -and $result2 -match "active" -and $result3 -match "Status: active") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.4" + Task = "Ensure ufw loopback traffic is configured" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + return @{ + Message = "nftables installed instead " + Status = "None" + } + } + $test1 = ufw status verbose + $result1 = $test1 -match "^Anywhere on lo\s+ALLOW IN\s+Anywhere$" + $result2 = $test1 -match "^Anywhere\s+DENY IN\s+127.0.0.0/8$" + $result3 = $test1 -match "^Anywhere (v6) on lo\s+ALLOW IN\s+Anywhere (v6)$" + $result4 = $test1 -match "^Anywhere (v6)\s+DENY IN\s+::1$" + $result5 = $test1 -match "^Anywhere\s+ALLOW OUT\s+Anywhere on lo$" + $result6 = $test1 -match "^Anywhere (v6)\s+ALLOW OUT\s+Anywhere (v6) on lo$" + if ($result1 -ne $null -and $result2 -ne $null -and $result3 -ne $null -and $result4 -ne $null -and $result5 -ne $null -and $result6 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.5" + Task = "Ensure ufw outbound connections are configured" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + return @{ + Message = "nftables installed instead " + Status = "None" + } + } + return @{ + Message = "Run the following command and verify all rules for new outbound connections match site policy: ufw status numbered" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.1.6" + Task = "Ensure ufw firewall rules exist for all open ports" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + return @{ + Message = "nftables installed instead " + Status = "None" + } + } + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-3.5.1.6.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.7" + Task = "Ensure ufw default deny firewall policy" + Test = { + + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + return @{ + Message = "nftables installed instead " + Status = "None" + } + } + + $result = ufw status verbose | grep Default: + + if ($result -match "Default: (deny|reject|disabled) (incoming), (deny|reject|disabled) (outgoing), (deny|reject|disabled) (routed)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.2.1" + Task = "Ensure nftables is installed" + Test = { + $test = dpkg-query -s nftables | grep 'Status: install ok installed' + if ($test -match "Status: install ok installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.2.2" + Task = "Ensure ufw is uninstalled or disabled with nftables" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + $testufw = dpkg-query -s ufw | grep 'Status: install ok installed' + $statusufw = $? + + if ($statusufw -match "True") { + $test2 = ufw status + if ($test2 -match "inactive") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "nftables not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.2.3" + Task = "Ensure iptables are flushed with nftables" + Test = { + return @{ + Message = "Run the following commands to ensure no iptables rules exist for iptables: iptables -L \nNo rules should be returned for ip6tables: ip6tables -L \nNo rules should be returned" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.2.4" + Task = "Ensure a nftables table exists" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + $test = nft list tables + if ($test -match "table") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "nftables not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.2.5" + Task = "Ensure nftables base chains exist" + Test = { + try { + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if ($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "nft not installed!" + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.6" + Task = "Ensure nftables loopback traffic is configured" + Test = { + try { + if ($isIPv6Disabled -ne $true) { + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if ($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else { + $test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + if ($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop') { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "nft not installed!" + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.7" + Task = "Ensure nftables outbound and established connections are configured" + Test = { + try { + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + $test2 = nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + if ($test1 -match "ip protocol tcp ct state established accept" -and $test1 -match "p protocol udp ct state established accept" -and $test1 -match "ip protocol icmp ct state established accept" -and $test2 -match "ip protocol tcp ct state established,related,new accep" -and $test2 -match "ip protocol udp ct state established,related,new accept" -and $test2 -match "ip protocol icmp ct state established,related,new accept") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "nft not installed!" + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.8" + Task = "Ensure nftables default deny firewall policy" + Test = { + try { + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if ($test1 -match "policy drop" -and $test2 -match "policy drop" -and $test3 -match "policy drop") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "nft not installed!" + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.9" + Task = "Ensure nftables service is enabled" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "True") { + $test1 = systemctl is-enabled nftables + if ($test1 -match "enabled") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "nftables not installed" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.1" + Task = "Ensure iptables packages are installed" + Test = { + $testnft = dpkg-query -s nftables + $statusnft = $? + if ($statusnft -match "False") { + $test1 = apt list iptables iptables-persistent + $test1 = $? + if ($test1 -match "True") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "nftables installed instead" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.2" + Task = "Ensure nftables is not installed with iptables" + Test = { + + $testipt = dpkg-query -s iptables | grep 'Status: install ok installed' + $statusipt = $? + $testnft = dpkg-query -s nftables | grep 'Status: install ok installed' + $statusnft = $? + + if ($statusipt -match "True") { + if ($statusnft -match "True") { + $test1 = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' nftables + if ($test1 -match "nftables\s+unknown ok not-installed\s+not-installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "iptables not installed " + Status = "None" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.3" + + Task = "Ensure ufw is uninstalled or disabled with iptables" + Test = { + + $testipt = dpkg-query -s iptables | grep 'Status: install ok installed' + $statusipt = $? + $testufw = dpkg-query -s ufw | grep 'Status: install ok installed' + $statusufw = $? + + if ($statusipt -match "True") { + if ($statusufw -match "True") { + $test1 = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' ufw + $test2 = ufw status + $test3 = systemctl is-enabled ufw + if ($test1 -match "ufw\s+unknown ok not-installed\s+not-installed" -and $test2 -match "Status: inactive" -and $test3 -match "masked") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "iptables not installed " + Status = "None" + } + + } +} +[AuditTest] @{ + Id = "3.5.3.2.1" + Task = "Ensure iptables default deny firewall policy" + Test = { + $test1 = iptables -L + if ($test1 -match "Chain INPUT (policy (DROP|REJCET))" -and $test1 -match "Chain FORWARD (policy (DROP|REJCET))" -and $test1 -match "Chain OUTPUT (policy (DROP|REJCET))") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.2.2" + Task = "Ensure iptables loopback traffic is configured" + Test = { + $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" + $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" + if ($test1 -ne $null -and $test2 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.2.4" + Task = "Ensure iptables firewall rules exist for all open ports" + Test = { + $test1 = ss -4tuln + if ($test1 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.3.1" + Task = "Ensure ip6tables default deny firewall policy" + Test = { + $test1 = ip6tables -L + if ($test1 -match "Chain INPUT (policy (DROP|REJCET))" -and $test1 -match "Chain FORWARD (policy (DROP|REJCET))" -and $test1 -match "Chain OUTPUT (policy (DROP|REJCET))") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.3.3" + Task = "Ensure ip6tables outbound and established connections are configured" + Test = { + return @{ + Message = "Run the following command and verify all rules for new outbound, and established connections match site policy: ip6tables -L -v -n" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.1.1.1" + Task = "Ensure auditd is installed" + Test = { + $test = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' auditd audispd-plugins + if ($test -match "audispd-plugins\s+install ok installed\s+installed" -and $test -match "auditd\s+install ok installed\s+installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.2" + Task = "Ensure auditd service is enabled and active" + Test = { + $test1 = systemctl is-enabled auditd + $test2 = systemctl is-active auditd + if ($test1 -match "enabled" -and $test2 -match "active") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.3" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $command = @' + find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -v 'audit=1' +'@ + $test = bash -c $command + if ($test -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.4" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $command = @' + find /boot -type f -name 'grub.cfg' -exec grep -Ph -- '^\h*linux' {} + | grep -Pv 'audit_backlog_limit=\d+\b' +'@ + $test = bash -c $command + if ($test -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + $test = grep -Po -- '^\h*max_log_file\h*=\h*\d+\b' /etc/audit/auditd.conf + if ($test -match "max_log_file =") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $test = grep max_log_file_action /etc/audit/auditd.conf + if ($test -match "max_log_file_action = keep_logs") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep space_left_action /etc/audit/auditd.conf + $test2 = grep action_mail_acct /etc/audit/auditd.conf + $test3 = grep -E 'admin_space_left_action\s*=\s*(halt|single)' /etc/audit/auditd.conf + if ($test1 -match "space_left_action = email" -and $test2 -match "action_mail_acct = root" -and $test3 -match "admin_space_left_action = (halt|single)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.1" + Task = "Ensure changes to system administration scope (sudoers) is collected" + Test = { + try { + $res1 = awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | grep -- "-w /etc/sudoers -p wa -k scope" + $res2 = awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | grep -- "-w /etc/sudoers.d -p wa -k scope" + $res3 = auditctl -l | awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | grep -- "-w /etc/sudoers -p wa -k scope" + $res4 = auditctl -l | awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | grep -- "-w /etc/sudoers.d -p wa -k scope" + if ($res1 -ne $null -and $res2 -ne $null -and $res3 -ne $null -and $res4 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.3.2" + Task = "Ensure actions as another user are always logged" + Test = { + $test1 = awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + try { + $test2 = auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + } + catch { + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + if ($test1 -match "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" -and $test1 -match "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" -and $test2 -match "-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation" -and $test2 -match "-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.3" + Task = "Ensure events that modify the sudo log file are collected" + Test = { + $command1 = @' +SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') [ -n "${SUDO_LOG_FILE_ESCAPED}" ] && awk "/^ *-w/ \ &&/"${SUDO_LOG_FILE_ESCAPED}"/ \ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules \ || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n" +'@ + $command2 = @' +SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') [ -n "${SUDO_LOG_FILE_ESCAPED}" ] && auditctl -l | awk "/^ *-w/ \ &&/"${SUDO_LOG_FILE_ESCAPED}"/ \ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" \ || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n" +'@ + $test1 = bash -c $command1 + $test2 = bash -c $command2 + if ($test1 -match "-w /var/log/sudo.log -p wa -k sudo_log_file" -and $test2 -match "-w /var/log/sudo.log -p wa -k sudo_log_file") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.4" + Task = "Ensure events that modify date and time information are collected" + Test = { + $test1 = { awk '/^ *-a *always,exit/ \ &&/ -F *arch=b[2346]{2}/ \ &&/ -S/ \ &&(/adjtimex/ \ ||/settimeofday/ \ ||/clock_settime/ ) \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules awk '/^ *-w/ \ &&/\/etc\/localtime/ \ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules } + $test2 = { auditctl -l | awk '/^ *-a *always,exit/ \ &&/ -F *arch=b[2346]{2}/ \ &&/ -S/ \ &&(/adjtimex/ \ ||/settimeofday/ \ ||/clock_settime/ ) \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' auditctl -l | awk '/^ *-w/ \ &&/\/etc\/localtime/ \ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' } + if ($test1 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday clock_settime -k time-change" -and $test1 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change" -and $test1 -match "-w /etc/localtime -p wa -k time-change" -and $test2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change" -and $test2 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday clock_settime -F key=time-change" -and $test3 -match "-w /etc/localtime -p wa -k time-change") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $test1 = awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + $test2 = awk "/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/network/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules + try { + $test3 = auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + $test4 = auditctl -l | awk '/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/network/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + } + catch { + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + if ($test1 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday clock_settime -k time-change" -and $test1 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change" -and $test1 -match "-w /etc/localtime -p wa -k time-change" -and $test2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change" -and $test2 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday clock_settime -F key=time-change" -and $test3 -match "-w /etc/localtime -p wa -k time-change") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.6" + Task = "Ensure use of privileged commands are collected" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path1 = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh" + $result1 = bash $path1 | grep "Warning" + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path2 = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh" + $result2 = bash $path2 | grep "Warning" + if ($result1 -eq $null -and $result2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.8" + Task = "Ensure events that modify user/group information are collected" + Test = { + + try { + $dummy = auditctl -l + } + catch { + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + + $output1 = awk '/^ *-w/ \ + &&(/\/etc\/group/ \ + ||/\/etc\/passwd/ \ + ||/\/etc\/gshadow/ \ + ||/\/etc\/shadow/ \ + ||/\/etc\/security\/opasswd/) \ + &&/ +-p *wa/ \ + &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + $result11 = $output1 | grep "\-w /etc/group -p wa -k identity" + $result12 = $output1 | grep "\-w /etc/passwd -p wa -k identity" + $result13 = $output1 | grep "\-w /etc/gshadow -p wa -k identity" + $result14 = $output1 | grep "\-w /etc/shadow -p wa -k identity" + $result15 = $output1 | grep "\-w /etc/security/opasswd -p wa -k identity" + $output2 = auditctl -l | awk '/^ *-w/ \ + &&(/\/etc\/group/ \ + ||/\/etc\/passwd/ \ + ||/\/etc\/gshadow/ \ + ||/\/etc\/shadow/ \ + ||/\/etc\/security\/opasswd/) \ + &&/ +-p *wa/ \ + &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + $result21 = $output2 | grep "\-w /etc/group -p wa -k identity" + $result22 = $output2 | grep "\-w /etc/passwd -p wa -k identity" + $result23 = $output2 | grep "\-w /etc/gshadow -p wa -k identity" + $result24 = $output2 | grep "\-w /etc/shadow -p wa -k identity" + $result25 = $output2 | grep "\-w /etc/security/opasswd -p wa -k identity" + if ($result11 -ne $null -and $result12 -ne $null -and $result13 -ne $null -and $result14 -and $result15 -ne $null -and $result21 -ne $null -and $result22 -ne $null -and $result23 -ne $null -and $result24 -ne $null -and $result25 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.11" + Task = "Ensure session initiation information is collected" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path1 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.11_1.sh" + $result11 = bash $path1 | grep "\-w /var/run/utmp -p wa -k session" + $result12 = bash $path1 | grep "\-w /var/log/wtmp -p wa -k session" + $result13 = bash $path1 | grep "\-w /var/log/btmp -p wa -k session" + $path2 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.11_2.sh" + $result21 = bash $path2 | grep "\-w /var/run/utmp -p wa -k session" + $result22 = bash $path2 | grep "\-w /var/log/wtmp -p wa -k session" + $result23 = bash $path2 | grep "\-w /var/log/btmp -p wa -k session" + if ($result11 -ne $null -and $result12 -ne $null -and $result13 -ne $null -and $result21 -ne $null -and $result22 -ne $null -and $result23 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.12" + Task = "Ensure login and logout events are collected" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path1 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.12_1.sh" + $result11 = bash $path1 | grep "\-w /var/log/lastlog -p wa -k logins" + $result12 = bash $path1 | grep "\-w /var/run/faillock -p wa -k logins" + $path2 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.12_2.sh" + $result21 = bash $path2 | grep "\-w /var/log/lastlog -p wa -k logins" + $result22 = bash $path2 | grep "\-w /var/run/faillock -p wa -k logins" + if ($result11 -ne $null -and $result12 -ne $null -and $result21 -ne $null -and $result22 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.14" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path1 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.14_1.sh" + $result11 = bash $path1 | grep "\-w /etc/apparmor/ -p wa -k MAC-policy" + $result12 = bash $path1 | grep "\-w /etc/apparmor.d/ -p wa -k MAC-policy" + $path2 = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-4.1.3.14_2.sh" + $result21 = bash $path2 | grep "\-w /etc/apparmor/ -p wa -k MAC-policy" + $result22 = bash $path2 | grep "\-w /etc/apparmor.d/ -p wa -k MAC-policy" + if ($result11 -ne $null -and $result12 -ne $null -and $result21 -ne $null -and $result22 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.20" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $test = grep -Ph -- '^\h*-e\h+2\b' /etc/audit/rules.d/*.rules | tail -1 + if ($test -match "-e 2") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.3.21" + Task = "Ensure the running and on disk configuration is the same" + Test = { + return @{ + Message = "Ensure that all rules in /etc/audit/rules.d have been merged into /etc/audit/audit.rules: augenrules --check \n/usr/sbin/augenrules: No change \nShould there be any drift, run augenrules --load to merge and load all rules." + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.1.4.1" + Task = "Ensure audit log files are mode 0640 or less permissive" + Test = { + $command = @' +dir=$(awk -F= '/^log_file/ {print $2}' /etc/audit/auditd.conf | xargs dirname) && [ $(stat -c "%a" "$dir") -le 640 ] && echo "PASS: Directory permissions are 0640 or less permissive" || echo "FAIL: Directory permissions are more permissive" +'@ + $result = bash -c $command + if ($result -match " PASS ") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.2" + Task = "Ensure only authorized users own audit log files" + Test = { + $test1 = stat -Lc "%n %U" "$(dirname $(awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf | xargs))"/* | grep -Pv -- '^\H+\h+root\b' + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.3" + Task = "Ensure only authorized groups are assigned ownership of audit log files" + Test = { + $test1 = grep -Piw -- '^\h*log_group\h*=\h*(adm|root)\b' /etc/audit/auditd.conf + $test2 = stat -c "%n %G" "$(dirname $(awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf | xargs))"/* | grep -Pv '^\h*\H+\h+(adm|root)\b' + if ($test1 -match "(log_group = adm)|(log_group = root)" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.4" + Task = "Ensure the audit log directory is 0750 or more restrictive" + Test = { + $test1 = stat -Lc "%n %a" "$(dirname $( awk -F"=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf))" | grep -Pv -- '^\h*\H+\h+([0,5,7][0,5]0)' + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.5" + Task = "Ensure audit configuration files are 640 or more restrictive" + Test = { + $command = @' + find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec stat -Lc "%n %a" {} + | grep -Pv -- '^\h*\H+\h*([0,2,4,6][0,4]0)\h*$' +'@ + $test1 = bash -c $command + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.6" + Task = "Ensure audit configuration files are owned by root" + Test = { + $command = @' +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root +'@ + $test1 = bash -c $command + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.7" + Task = "Ensure audit configuration files belong to group root" + Test = { + $command = @' +find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root +'@ + $test1 = bash -c $command + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.8" + Task = "Ensure audit tools are 755 or more restrictive" + Test = { + $test1 = stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h*$' + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.9" + Task = "Ensure audit tools are owned by root" + Test = { + $test1 = stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+root\h*$' + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.10" + Task = "Ensure audit tools belong to group root" + Test = { + $test1 = stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h+root\h+root\h*$' + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.4.11" + Task = "Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + Test = { + $test1 = grep -Ps -- '(\/sbin\/(audit|au)\H*\b)' /etc/aide/aide.conf.d/*.conf /etc/aide/aide.conf + if ($test1 -match "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $test1 -match "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $test1 -match "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $test1 -match "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $test1 -match "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $test1 -match "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1.1" + Task = "Ensure systemd-journal-remote is installed" + Test = { + $test1 = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' systemd-journal-remote + if ($test1 -match "systemd-journal-remote\s+install ok installed\s+installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1.2" + Task = "Ensure systemd-journal-remote is configured" + Test = { + return @{ + Message = 'Verify systemd-journal-remote is configured. Run the following command: grep -P "^ *URL=|^ *ServerKeyFile=|^ *ServerCertificateFile=|^ *TrustedCertificateFile=" /etc/systemd journal-upload.conf' + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1.3" + Task = "Ensure systemd-journal-remote is enabled" + Test = { + $test1 = systemctl is-enabled systemd-journal-upload.service + if ($test1 -match "enabled") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1.4" + Task = "Ensure journald is not configured to recieve logs from a remote client" + Test = { + $test1 = systemctl is-enabled systemd-journal-remote.socket + if ($test1 -match "disabled") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.2" + Task = "Ensure journald service is enabled" + Test = { + $test1 = systemctl is-enabled systemd-journald.service + if ($test1 -match "static") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.3" + Task = "Ensure journald is configured to compress large log files" + Test = { + $test1 = grep ^\s*Compress /etc/systemd/journald.conf + if ($test1 -match "Compress=yes") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.4" + Task = "Ensure journald is configured to write logfiles to persistent disk" + Test = { + $test1 = grep ^\s*Storage /etc/systemd/journald.conf + if ($test1 -match "Storage=persistent") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.5" + Task = "Ensure journald is not configured to send logs to rsyslog" + Test = { + $test1 = grep ^\s*ForwardToSyslog /etc/systemd/journald.conf + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.6" + Task = "Ensure journald log rotation is configured per site policy" + Test = { + return @{ + Message = "Review /etc/systemd/journald.conf and verify logs are rotated according to site policy. The specific parameters for log rotation are:\n + SystemMaxUse=\n + SystemKeepFree=\n + RuntimeMaxUse=\n + RuntimeKeepFree=\n + MaxFileSec=" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.2.1.7" + Task = "Ensure journald default file permissions configured" + Test = { + return @{ + Message = "First see if there is an override file /etc/tmpfiles.d/systemd.conf. If so, this file will override all default settings as defined in /usr/lib/tmpfiles.d/systemd.conf and should be inspected. If there is no override file, inspect the default /usr/lib/tmpfiles.d/systemd.conf against the site specific requirements. Ensure that file permissions are 0640. Should a site policy dictate less restrictive permissions, ensure to follow said policy. NOTE: More restrictive permissions such as 0600 is implicitly sufficient." + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.2.2.1" + Task = "Ensure rsyslog is installed" + Test = { + $test1 = dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' rsyslog + if ($test1 -match "rsyslog\s+install ok installed\s+installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.2" + Task = "Ensure rsyslog service is enabled" + Test = { + $test1 = systemctl is-enabled rsyslog + if ($test1 -match "enabled") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.3" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $test1 = grep ^\s*ForwardToSyslog /etc/systemd/journald.conf + if ($test1 -match "ForwardToSyslog=yes") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.4" + Task = "Ensure rsyslog default file permissions are configured" + Test = { + $test1 = grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if ($test1 -match "$FileCreateMode 0640") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.6" + Task = "Ensure rsyslog is configured to send logs to a remote log host" + Test = { + return @{ + Message = "Review the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and verify that logs are sent to a central host (where loghost.example.com is the name of your central log host):" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.2.2.7" + Task = "Ensure rsyslog is not configured to receive logs from a remote client" + Test = { + $test1 = grep -s '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + $test2 = grep -s '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if ($test1 -eq $null -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure all logfiles have appropriate permissions and ownership" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.7" + Task = "Ensure rsyslog is not configured to receive logs from a remote client" + Test = { + $test1 = grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + $test2 = grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if ($test1 -eq $null -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled and running" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if ($test1 -eq "enabled" -and $test2 -match "running") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat /etc/crontab | grep 0600 + if ($test1 -ne $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $test1 = stat /etc/cron.hourly/ + if ($test1 -eq "Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $test1 = stat /etc/cron.daily/ + if ($test1 -eq "Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $test1 = stat /etc/cron.weekly/ + if ($test1 -eq "Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $test1 = stat /etc/cron.monthly/ + if ($test1 -eq "Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $test1 = stat /etc/cron.d/ + if ($test1 -eq "Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure cron is restricted to authorized users" + Test = { + $test1 = stat /etc/cron.deny + $test1 = $? + $test2 = stat /etc/cron.allow + if ($test1 -match "False" -and $test2 -match "0640\s*.*Uid.*root.*Gid.*root") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure at is restricted to authorized users" + Test = { + $test1 = stat /etc/at.deny + $test1 = $? + $test2 = stat /etc/at.allow | grep 0640 + if ($test1 -match "False" -and $test2 -eq "Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure permissions on /etc/ssh/sshd_config are configured" + Test = { + try { + try { + $test1 = stat /etc/ssh/sshd_config | grep 0600 + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + + if ($test1 -eq "Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure permissions on SSH private host key files are configured" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $res = bash -c "find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat {} \;" | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)\s*" + if ($res.count -eq 3) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure SSH access is limited" + Test = { + try { + $result = bash -c "sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*(allow|deny)(users|groups)\s+\S+'" + if ($result -match "allowusers" -or $result -match "allowgroups" -or $result -match "denyusers" -or $result -match "denygroups") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure SSH LogLevel is appropriate" + Test = { + try { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel + try { + $test2 = grep -is 'loglevel' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)' + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + if (($test1 -match "loglevel VERBOSE" -or $test1 -match "loglevel INFO") -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure SSH PAM is enabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i usepam + $test2 = grep -Ei '^\s*UsePAM\s+no' /etc/ssh/sshd_config + if ($test1 -match "usepam yes" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure SSH root login is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin + $test2 = grep -Ei '^\s*PermitRootLogin\s+no' /etc/ssh/sshd_config + if ($test1 -match "permitrootlogin no" -and $test2 -match "PermitRootLogin no") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.8" + Task = "Ensure SSH HostbasedAuthentication is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep hostbasedauthentication + $test2 = grep -Ei '^\s*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config + if ($test1 -match "hostbasedauthentication no" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.9" + Task = "Ensure SSH PermitEmptyPasswords is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords + $test2 = grep -Ei '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permitemptypasswords no" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.10" + Task = "Ensure SSH PermitUserEnvironment is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment + $test2 = grep -Ei '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permituserenvironment no" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.11" + Task = "Ensure SSH IgnoreRhosts is enabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts + $test2 = grep -Ei '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config + if ($test1 -match "ignorerhosts yes" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.12" + Task = "Ensure SSH X11 forwarding is disabled" + Test = { + try { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding + try { + $test2 = grep -Eis '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config/etc/ssh/sshd_config.d/*.conf + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + if ($test1 -match "x11forwarding no" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.13" + Task = "Ensure only strong Ciphers are used" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ciphers + if ($test1 -notmatch "(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.14" + Task = "Ensure only strong MAC algorithms are used" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i "MACs" + if ($test1 -notmatch "(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh.com|umac-128@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|hmac-ripemd160-etm@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.15" + Task = "Ensure only strong Key Exchange algorithms are used" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep kexalgorithms + if ($test1 -notmatch "(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.16" + Task = "Ensure SSH AllowTcpForwarding is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i allowtcpforwarding + $test2 = grep -Ei '^\s*AllowTcpForwarding\s+yes' /etc/ssh/sshd_config + if ($test1 -match "allowtcpforwarding no" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.17" + Task = "Ensure SSH warning banner is configured" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep banner + if ($test1 -match "banner /etc/issue.net") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.18" + Task = "Ensure SSH MaxAuthTries is set to 4 or less" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep maxauthtries + $test2 = grep -Ei '^\s*maxauthtries\s+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config + if ($test1 -match "maxauthtries 4" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.19" + Task = "Ensure SSH MaxStartups is configured" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups + $test2 = grep -Ei '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config + if ($test1 -match "maxstartups 10:30:60" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.20" + Task = "Ensure SSH MaxSessions is set to 10 or less" + Test = { + try { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxsessions | cut -d ' ' -f 2 + + try { + $test2 = grep -Eis '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)'/etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + if ($test1 -le 10 -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.21" + Task = "Ensure SSH LoginGraceTime is set to one minute or less" + Test = { + try { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime | cut -d ' ' -f 2 + try { + $test2 = grep -Eis '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch { + return @{ + Message = "Path not found!" + Status = "False" + } + } + if (($test1 -ge 1 -and $test1 -le 60) -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.2.22" + Task = "Ensure SSH Idle Timeout Interval is configured" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval + $test2 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax + if ($test1 -match "clientaliveinterval 15" -and $test2 -match "clientalivecountmax 3") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.1" + Task = "Ensure sudo is installed" + Test = { + $command = @' +dpkg-query -W sudo sudo-ldap > /dev/null 2>&1 && dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n' sudo sudo-ldap | awk '($4=="installed" && $NF=="installed") {print "\n""PASS:""\n""Package ""\""$1"\""" is installed""\n"}' || echo -e "\nFAIL:\nneither \"sudo\" or \"sudo-ldap\" package is installed\n" +'@ + $test1 = bash -c $command + if ($test1 -match "PASS:") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.2" + Task = "Ensure sudo commands use pty" + Test = { + $test1 = grep -rPi '^\h*Defaults\h+([^#\n\r]+,)?use_pty(,\h*\h+\h*)*\h*(#.*)?$' /etc/sudoers* + if ($test1 -match "/etc/sudoers:Defaults use_pty") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.3" + Task = "Ensure sudo log file exists" + Test = { + $command = @' + grep -rPsi "^\h*Defaults\h+([^#]+,\h*)?logfile\h*=\h*(\"|\')?\H+(\"|\')?(,\h*\H+\h*)*\h* (#.*)?$" /etc/sudoers* +'@ + $test1 = bash -c $command + + if ($test1 -eq $null) { + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + + + } +} +[AuditTest] @{ + Id = "5.3.4" + Task = "Ensure users must provide password for privilege escalation" + Test = { + $test1 = grep -r "^[^#].*NOPASSWD" /etc/sudoers* + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.5" + Task = "Ensure re-authentication for privilege escalation is not disabled globally" + Test = { + $test1 = grep -r "^[^#].*\!authenticate" /etc/sudoers* + if ($test1 -match '!authenticate') { + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3.6" + Task = "Ensure sudo authentication timeout is configured correctly" + Test = { + #todo + $test1 = grep -roP "timestamp_timeout=\K[0-9]*" /etc/sudoers* + if ($test1 -match 'auth required pam_wheel.so use_uid group=') { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.7" + Task = "Ensure access to the su command is restricted" + Test = { + #todo + $test1 = grep -Pi '^\h*auth\h+(?:required|requisite)\h+pam_wheel\.so\h+(?:[^#\n\r]+\h+)?((?!\2)(use_uid\b|group=\H+\b))\h+(?:[^#\n\r]+\h+)?((?!\1)(use_uid\b|group=\H+\b))(\h+.*)?$' /etc/pam.d/su + if ($test1 -match 'auth required pam_wheel.so use_uid group=') { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.1" + Task = "Ensure password creation requirements are configured" + Test = { + $test1 = grep '^\s*minlen\s*' /etc/security/pwquality.confsu + if ($test1 -match 'minlen = 14') { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.4" + Task = "Ensure password hashing algorithm is up to date with the latest standards" + Test = { + $test1 = grep -i "^\s*ENCRYPT_METHOD\s*yescrypt\s*$" /etc/login.defs + if ($test1 -match 'ENCRYPT_METHOD yescrypt') { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.5" + Task = "Ensure all current passwords uses the configured hashing algorithm" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.1" + Task = "Ensure minimum days between password changes is configured" + Test = { + $test1 = grep -E '^[[:space:]]*PASS_MIN_DAYS[[:space:]]+' /etc/login.defs | grep -v '^#' + if ($test1 -ge 1) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.2" + Task = "Ensure password expiration is 365 days or less" + Test = { + $test1 = awk '/^PASS_MAX_DAYS/ && $2 <= 365 {print "true"; exit}' /etc/login.defs + $test2 = awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow + if ($test1 -match 'true' -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.3" + Task = "Ensure password expiration warning days is 7 or more" + Test = { + $test1 = grep PASS_WARN_AGE /etc/login.defs | cut -d ' ' -f2 + if ($test1 -ge 7) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.4" + Task = "Ensure inactive password lock is 30 days or less" + Test = { + $test1 = useradd -D | grep INACTIVE | cut -d '=' -f2 + if ($test1 -le 30) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.5" + Task = "Ensure all users last password change date is in the past" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-5.5.1.5.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.2" + Task = "Ensure system accounts are secured" + Test = { + $test1 = awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd + $test2 = awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}' + if ($test1 -eq $null -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.3" + Task = "Ensure default group for the root account is GID 0" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if ($test1 -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.4" + Task = "Ensure default user umask is 027 or more restrictive" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/CIS-Ubuntu22.04_LTS-5.5.4.sh" + $result = bash $path + $test2 = grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bash.bashrc* + if ($result -match "Default user umask is set" -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.5" + Task = "Ensure default user shell timeout is 900 seconds or less" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd + if ($test1 -match "/etc/passwd\s+644\s+0/root\s+0/root") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat /etc/passwd- + if ($test1 -eq "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat /etc/group + if ($test1 -eq "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.4" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat /etc/group- | grep 0644 + if ($test1 -eq "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.5" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat /etc/shadow | grep 0640 + if ($test1 -eq "Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat /etc/shadow- | grep 0640 + if ($test1 -eq "Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat /etc/gshadow | grep 0640 + if ($test1 -eq "Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.8" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat /etc/gshadow- | grep 0640 + if ($test1 -eq "Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.9" + Task = "Ensure no world writable files exist" + Test = { + #$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*') + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.10" + Task = "Ensure no unowned files or directories exist" + Test = { + $command = @' +df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser +'@ + $test1 = bash -c $command + + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.11" + Task = "Ensure no ungrouped files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.12" + Task = "Audit SUID executables" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + $message = "" + foreach ($line in $test1) { + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "6.1.13" + Task = "Audit SGID executables" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + $message = "" + foreach ($line in $test1) { + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "6.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $test1 = awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $test1 = awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow + if ($test1 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh" + $result = bash $path + $status = $? + + if ($status -match "True") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.4" + Task = "Ensure shadow group is empty" + Test = { + $test1 = awk -F: '($1=="shadow") {print $NF}' /etc/group + $test2 = awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)" '($4==GID) {print $1}' /etc/passwd + if ($test1.Length -eq 0 -and $test2 -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.5" + Task = "Ensure no duplicate UIDs exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.6" + Task = "Ensure no duplicate GIDs exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.7" + Task = "Ensure no duplicate user names exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.8" + Task = "Ensure no duplicate group names exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.9" + Task = "Ensure root PATH Integrity" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh" + $result = bash $path + if ($result -eq $null) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.10" + Task = "Ensure root is the only UID 0 account" + Test = { + $test1 = awk -F: '($3 == 0) { print $1 }' /etc/passwd + if ($test1 -eq "root") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.11" + Task = "Ensure local interactive user home directories exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.12" + Task = "Ensure local interactive users own their home directories" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.13" + Task = "Ensure local interactive user home directories are mode 750 or more restrictive" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.14" + Task = "Ensure no local interactive user has .netrc files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.15" + Task = "Ensure no local interactive user has .forward files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.16" + Task = "Ensure no local interactive user has .rhosts files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.17" + Task = "Ensure local interactive user dot files are not group or world writable" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath + "/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh" + $result = bash $path + foreach ($line in $result) { + if (!($line -match "PASS")) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Debian Linux 12-CIS-1.0.1.ps1 b/ATAPAuditor/AuditGroups/Debian Linux 12-CIS-1.0.1.ps1 new file mode 100644 index 0000000..bbb1770 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Debian Linux 12-CIS-1.0.1.ps1 @@ -0,0 +1,4115 @@ +$rcTrue = "True" +$rcCompliant = "Compliant" +$rcFalse = "False" +$rcNone = "None" +$rcNonCompliant = "Non-Compliant" +$rcNonCompliantManualReviewRequired = "Manual review required" +$rcCompliantIPv6isDisabled = "IPv6 is disabled" +$rcFirewallStatus1 = "Using nftables" +$rcFirewallStatus2 = "Using ufw" +$rcFirewallStatus3 = "Using iptables" + +$retCompliant = @{ + Message = $rcCompliant + Status = $rcTrue +} +$retNonCompliant = @{ + Message = $rcNonCompliant + Status = $rcFalse +} +$retCompliantIPv6Disabled = @{ + Message = $rcCompliantIPv6isDisabled + Status = $rcTrue +} +$retNonCompliantManualReviewRequired = @{ + Message = $rcNonCompliantManualReviewRequired + Status = $rcNone +} +$retUsingFW1 = @{ + Message = $rcFirewallStatus1 + Status = $rcNone +} +$retUsingFW2 = @{ + Message = $rcFirewallStatus2 + Status = $rcNone +} +$retUsingFW3 = @{ + Message = $rcFirewallStatus3 + Status = $rcNone +} + +# Firewall evaluation +function GetFirewallStatus { + # 0 - undefined + # 1 - using nftables + # 2 - using ufw + # 3 - using iptables + + $t_UFW = dpkg-query -f='${db:Status-Abbrev}' -W ufw 2>/dev/null + $t_NFT = dpkg-query -f='${db:Status-Abbrev}' -W nftables 2>/dev/null + $t_IPT = dpkg-query -f='${db:Status-Abbrev}' -W iptables 2>/dev/null + $t_UFW_en = systemctl is-enabled ufw 2>/dev/null + if ($t_UFW -match "ii"){ + $t_UFW_inac = ufw status 2>/dev/null | grep -iE "Status: Ina[ck]tive?" + $t_UFW_ac = ufw status 2>/dev/null | grep -iE "Status: A[ck]tive?" + } else { + $t_UFW_ac = $null + $t_UFW_inac = $null + } + $t_NFT_en = systemctl is-enabled nftables.service 2>/dev/null + + # Testing 1 - nftable installed, ufw not or inactive + if ($t_NFT -match "ii" -and $t_IPT -match "^(rc |un |)$" -and ($t_UFW -match "^(rc |un |)$" -or $t_UFW_inac -ne $null) -and $t_NFT_en -match "enabled"){ + return 1 + } + + # Testing 2 - ufw, iptables installed, nftables not + if ( $t_UFW -match "ii" -and $t_UFW_ac -ne $null -and $t_UFW_en -match "enabled" -and $t_IPT -match "ii" -and $t_NFT -match "^(rc |un |)$"){ + return 2 + } + + # Testing 3 - only iptables + if ($t_NFT -match "^(rc |un |)$" -and $t_UFW -match "^(rc |un |)$" -and $t_IPT -match "ii"){ + return 3 + } + + return 0 +} + +$FirewallStatus = GetFirewallStatus + +$parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "/Helpers/ShellScripts/Ubuntu22.04_Debian12/" +$commonPath = $parentPath + "/Helpers/ShellScripts/common/" + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure cramfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure freevxfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure hfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.4" + Task = "Ensure hfsplus kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.5" + Task = "Ensure jffs2 kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.6" + Task = "Ensure squashfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.7" + Task = "Ensure udf kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.8" + Task = "Ensure usb-storage kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.1" + Task = "Ensure /tmp is a separate partition" + Test = { + $result = findmnt --kernel /tmp + if($result -match "/tmp"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.1.2" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.3" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.4" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep noexec + if($result -match "noexec"){ + return $retCompliant + } + + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "1.1.2.2.1" + Task = "Ensure /dev/shm is a separate partition" + Test = { + $script = $scriptPath + "1.1.2.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.2.2" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.3" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.4" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.1" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt --kernel /home + if($result -match "/home"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.3.2" + Task = "Ensure nodev option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.3" + Task = "Ensure nosuid option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.1" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt --kernel /var + if($result -match !$null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.4.2" + Task = "Ensure nodev option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.3" + Task = "Ensure nosuid option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.1" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt --kernel /var/tmp + if($result -match "/var/tmp"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.5.2" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.3" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.4" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.1" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt --kernel /var/log + if($result -match !$null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.6.2" + Task = "Ensure nodev option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.3" + Task = "Ensure nosuid option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.4" + Task = "Ensure noexec option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.1" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit + if($result -match "/var/log/audit"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.7.2" + Task = "Ensure nodev option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.3" + Task = "Ensure nosuid option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.4" + Task = "Ensure noexec option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.2.1.1" + Task = "Ensure GPG keys are configured" + Test = { + $result = apt-key list + if($result -ne $null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.2.1.2" + Task = "Ensure package manager repositories are configured" + Test = { + $result = apt-cache policy + if($result -ne $null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.2.2.1" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + $output = apt -s upgrade + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.1" + Task = "Ensure AppArmor is installed" + Test = { + $result = dpkg-query -W -f='${db:Status-Abbrev}' apparmor 2>/dev/null + + if($result -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.3.1.2" + Task = "Ensure AppArmor is enabled in the bootloader configuration" + Test = { + $script = $scriptPath + "1.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.3" + Task = "Ensure all AppArmor Profiles are in enforce or complain mode" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + $profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1 + $result = expr $profileMode3 + $profileMode2 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if($result -eq $profileMode1 -and $unconfinedProcesses -eq 0){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.3.1.4" + Task = "Ensure all AppArmor Profiles are enforcing" + Test = { + $script = $scriptPath + "1.3.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure bootloader password is set" + Test = { + $result1 = grep "^set superusers" /boot/grub/grub.cfg + $result2 = grep "^password" /boot/grub/grub.cfg + if($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure access to bootloader config is configured" + Test = { + $script = $commonPath + "1.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure address space layout randomization is enabled" + Test = { + $script = $commonPath + "1.5.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure ptrace_scope is restricted" + Test = { + $script = $commonPath + "1.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure core dumps are restricted" + Test = { + $script = $scriptPath + "1.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.4" + Task = "Ensure prelink is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W prelink 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "1.5.5" + Task = "Ensure Automatic Error Reporting is not enabled" + Test = { + $result1 = dpkg-query -s apport > /dev/null 2>&1 && grep -Psi -- '^\h*enabled\h*=\h*[^0]\b' /etc/default/apport + $result2 = systemctl is-active apport.service | grep '^active' + if($result1 -eq $null -and $result2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.1" + Task = "Ensure message of the day is configured properly" + Test = { + $script = $scriptPath + "1.6.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue + + if($output1 -eq $null){ + return $retCompliant + } + + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + + if($output1 -ne $null -and $output2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue.net + + if($output1 -eq $null){ + return $retCompliant + } + + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + + if($output1 -ne $null -and $output2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.4" + Task = "Ensure access to /etc/motd is configured" + Test = { + $script = $scriptPath + "1.6.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.5" + Task = "Ensure access to /etc/issue is configured" + Test = { + $output = stat -c '%#a' /etc/issue | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.6" + Task = "Ensure access to /etc/issue.net is configured" + Test = { + $output = stat -c '%#a' /etc/issue.net | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure GDM is removed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W gdm3 2>/dev/null + if($test1 -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure GDM login banner is configured" + Test = { + $path = $scriptPath + "1.8.2.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure GDM disable-user-list option is enabled" + Test = { + $path = $scriptPath + "1.8.3.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure GDM screen locks when the user is idle" + Test = { + $path = $scriptPath + "1.8.4.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure GDM screen locks cannot be overridden" + Test = { + $path = $scriptPath + "1.8.5.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.6" + Task = "Ensure GDM automatic mounting of removable media is disabled" + Test = { + $path = $scriptPath + "1.8.6.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.7" + Task = "Ensure GDM disabling automatic mounting of removable media is not overridden" + Test = { + $path = $scriptPath + "1.8.7.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.8" + Task = "Ensure GDM autorun-never is enabled" + Test = { + $path = $scriptPath + "1.8.8.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.9" + Task = "Ensure GDM autorun-never is not overridden" + Test = { + $path = $scriptPath + "1.8.9.sh" + $result=bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.10" + Task = "Ensure XDCMP is not enabled" + Test = { + $script = $scriptPath + "1.7.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.1.1" + Task = "Ensure autofs services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null autofs + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null autofs.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.2" + Task = "Ensure avahi daemon services are not in use" + Test = { + $status = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null avahi-daemon + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null avahi-daemon.socket + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null avahi-daemon.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.3" + Task = "Ensure dhcp server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null isc-dhcp-server + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server.service + if(! $?){ + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server6.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.4" + Task = "Ensure dns server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null bind9 + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null bind9.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.5" + Task = "Ensure dnsmasq server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null dnsmasq + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null dnsmasq.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.6" + Task = "Ensure ftp server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null vsftpd + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null vsftpd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.7" + Task = "Ensure ldap server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null slapd + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null slapd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.8" + Task = "Ensure message access server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null dovecot-imapd + $test2 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null dovecot-pop3d + if("$test1" -match "^(rc |un |)$" -and "$test2" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test3 = systemctl is-enabled 2>/dev/null dovecot.socket + if(! $?){ + $test4 = systemctl is-enabled 2>/dev/null dovecot.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.9" + Task = "Ensure network file system services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null nfs-kernel-server + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null nfs-kernel.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.10" + Task = "Ensure nis server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null ypserv + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null ypserv.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.11" + Task = "Ensure print server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null cups + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null cups.service + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null cups.socket + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.12" + Task = "Ensure rpcbind services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null rpcbind + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null rpcbind.service + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null rpcbind.socket + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.13" + Task = "Ensure rsync services are not in use" + Test = { + $script = $commonPath + "2.1.13.sh" + bash $script + if ($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.14" + Task = "Ensure samba file server services are not in use" + Test = { + $test1 = dpkg-query -W -f='${db:Status-Abbrev}' samba 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null samba.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.15" + Task = "Ensure snmp services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null snmpd + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null snmpd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.16" + Task = "Ensure tftp server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null tftpd-hpa + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null tftpd-hpa.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.17" + Task = "Ensure web proxy server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null squid + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null squid.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.18" + Task = "Ensure web server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null apache2 + $test2 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null ginx + if("$test1" -match "^(rc |un |)$" -and "$test2" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $services = 'apache2.service', 'apache2.socket', 'nginx.service', 'nginx.socket' + $test3 = "disabled" + foreach ($service in $services){ + $test4 = systemctl is-enabled $service 2>/dev/null + if($?){ + $test3 = "enabled" + } + } + if($test3 -match "disabled"){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.19" + Task = "Ensure xinetd services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null xinetd + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null xinetd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.20" + Task = "Ensure X window server services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null xserver-commen + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.21" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $test1 = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.22" + Task = "Ensure only approved services are listening on a network interface" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure NIS Client is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W nis 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure rsh client is not installed" + Test = { + $status = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null rsh-client + if($status -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure talk client is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null talk + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure telnet client Server is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W telnet 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure ldap client is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W lapd-utils 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure ftp client is not installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W ftp 2>/dev/null + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.3.1.1" + Task = "Ensure a single time synchronization daemon is in use" + Test = { + $path = $scriptPath + "2.1.1.1.sh" + $result=bash $path + if($result -match "PASS:"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "Ensure systemd-timesyncd configured with authorized timeserver" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "Ensure systemd-timesyncd is enabled and running" + Test = { + $test1 = systemctl is-enabled systemd-timesyncd.service + $time = timedatectl status + if($test1 -match "enabled" -and $time -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.3.3.1" + Task = "Ensure chrony is configured with authorized timeserver" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.3.3.2" + Task = "Ensure chrony is running as user _chrony" + Test = { + $script = $scriptPath + "2.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.3.3.3" + Task = "Ensure chrony is enabled and running" + Test = { + $test1 = $(systemctl is-enabled cron.service 1>/dev/null 2>/dev/null; echo $?) + $test2 = $(systemctl is-active cron.service 1>/dev/null 2>/dev/null; echo $?) + if($test1 -and $test2 ){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.1" + Task = "Ensure cron daemon is enabled and active" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq "enabled" -and $test2 -match "running"){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat -c '%#a' /etc/crontab | grep -q "0600" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.hourly/ | grep -q 0700 + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.daily/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.weekly/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.monthly/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.d/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.8" + Task = "Ensure crontab is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.4.2.1" + Task = "Ensure at is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "Ensure IPv6 status is identified" + Test = { + $path = $scriptPath + "3.1.1.sh" + $result=bash $path + if($result -match "IPv6 is enabled on the system"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $script = $commonPath + "3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.3" + Task = "Ensure bluetooth services are not in use" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null bluez + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null bluetooth.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure dccp kernel module is not available" + Test = { + $script = $commonPath + "3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure tipc kernel module is not available" + Test = { + $script = $commonPath + "3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.3" + Task = "Ensure rds kernel module is not available" + Test = { + $script = $commonPath + "3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.4" + Task = "Ensure sctp kernel module is not available" + Test = { + $script = $commonPath + "3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure ip forwarding is disabled" + Test = { + $script = $commonPath + "3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure packet redirect sending is disabled" + Test = { + $script = $commonPath + "3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure bogus icmp responses are ignored" + Test = { + $script = $commonPath + "3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure broadcast icmp requests are ignored" + Test = { + $script = $commonPath + "3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure secure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure reverse path filtering is enabled" + Test = { + $script = $commonPath + "3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure source routed packets are not accepted" + Test = { + $script = $commonPath + "3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure suspicious packets are logged" + Test = { + $script = $commonPath + "3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.10" + Task = "Ensure tcp syn cookies is enabled" + Test = { + $script = $commonPath + "3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.11" + Task = "Ensure ipv6 router advertisements are not accepted" + Test = { + $script = $commonPath + "3.3.11.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "4.1.1" + Task = "Ensure ufw is installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W ufw 2>/dev/null + if($test1 -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.2" + Task = "Ensure iptables-persistent is not installed with ufw" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null iptables-persistent + if("$test1" -match "^(rc |un |)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.3" + Task = "Ensure ufw service is enabled" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = systemctl is-enabled ufw 2>/dev/null + $test2 = systemctl is-active ufw 2>/dev/null + if($test1 -match "enabled" -and $test2 -match "active"){ + $test3 = ufw status | grep -iE "Status: A[ck]tive?" + if($test3 -ne $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.4" + Task = "Ensure ufw loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -W -f='${db:Status-Abbrev}' ufw + if($test1 -match "ii"){ + $test2 = ufw status verbose | grep -iE "Status: A[ck]tive?" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.5" + Task = "Ensure ufw outbound connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -W -f='${db:Status-Abbrev}' ufw + if($test1 -match "ii"){ + $test2 = ufw status numbered | grep -iE "Status: Ina[ck]tive?" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.6" + Task = "Ensure ufw firewall rules exist for all open ports" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $path = $scriptPath + "3.5.1.6.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.7" + Task = "Ensure ufw default deny firewall policy" + Test = { + $test1 = dpkg-query -W -f='${db:Status-Abbrev}' ufw + if($test1 -match "ii"){ + $test2 = ufw status verbose | grep -iE "allow" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.1" + Task = "Ensure nftables is installed" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W nftables 2>/dev/null + if($test1 -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.2" + Task = "Ensure ufw is uninstalled or disabled with nftables" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W ufw 2>/dev/null + if($test1 -match "^(rc |un |)$"){ + return $retCompliant + } else { + $test2 = ufw status | grep -iE "Status: Ina[ck]tive?" + if($test2 -ne $null) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure iptables are flushed with nftables" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $script = $scriptPath + "4.2.3.sh" + $result = bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.4" + Task = "Ensure a nftables table exists" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list tables + if($test1 -match "table"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.5" + Task = "Ensure nftables base chains exist" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.6" + Task = "Ensure nftables loopback traffic is configured" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + if($isIPv6Disabled -ne $true){ + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"){ + return $retCompliant + } + } + else{ + $test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + if($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop'){ + return $retCompliant + } + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.7" + Task = "Ensure nftables outbound and established connections are configured" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + $test2 = nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + if($test1 -match "ip protocol tcp ct state established accept" -and $test1 -match "p protocol udp ct state established accept" -and $test1 -match "ip protocol icmp ct state established accept" -and $test2 -match "ip protocol tcp ct state established,related,new accep" -and $test2 -match "ip protocol udp ct state established,related,new accept" -and $test2 -match "ip protocol icmp ct state established,related,new accept"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.8" + Task = "Ensure nftables default deny firewall policy" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "policy drop" -and $test2 -match "policy drop" -and $test3 -match "policy drop"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.9" + Task = "Ensure nftables service is enabled" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = systemctl is-enabled nftables + if($test1 -match "enabled"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.10" + Task = "Ensure nftables rules are permanent" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $path1 = $scriptPath + "3.5.2.10_1.sh" + $path2 = $scriptPath + "3.5.2.10_2.sh" + $path3 = $scriptPath + "3.5.2.10_3.sh" + if($path1 -ne $null -and $path2 -ne $null -and $path3 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.1" + Task = "Ensure iptables packages are installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null iptables-persistent + if($test1 -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.2" + Task = "Ensure nftables is not installed with iptables" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null nftables + if("$test1" -match "^(rc |un |)$"){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.3" + Task = "Ensure ufw is uninstalled or disabled with iptables" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W ufw 2>/dev/null + if($test1 -match "^(rc |un |)$"){ + return $retCompliant + } else { + $test2 = ufw status | grep -iE "Status: Ina[ck]tive?" + $test3 = systemctl is-enabled ufw + if($test2 -ne $null -and $test3 -match "masked") { + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.1" + Task = "Ensure iptables default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $output = iptables -L + $test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.2" + Task = "Ensure iptables loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" + $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" + if($test1 -ne $null -and $test2 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.3" + Task = "Ensure iptables outbound and established connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = iptables -L -v -n + if($test1 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +# 3.5.3.2.4 ... + +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "4.3.2.4" + Task = "Ensure iptables firewall rules exist for all open ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.1" + Task = "Ensure ip6tables default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $output = ip6tables -L + $test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)" + $test21 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $test22 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)" + $test31 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $test32 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)" + + if ($IPv6Status -eq $false) { + return @{ + Message = "IPv6 is disabled" + Status = "True" + } + } + if(($test11 -ne $null -or $test12 -ne $null) -and ($test21 -ne $null -or $test22 -ne $null) -and ($test31 -ne $null -or $test32 -ne $null)){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.3.2" + Task = "Ensure ip6tables loopback traffic is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.3" + Task = "Ensure ip6tables outbound and established connections are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.4" + Task = "Ensure ip6tables firewall rules exist for all open ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled and running" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq "enabled" -and $test2 -match "running"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat -c '%#a' /etc/crontab | grep -q "0600" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $script = $commonPath + "5.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure sshd access is configured" + Test = { + if (sshd -T | grep -Piq -- "^\h*(allow|deny)(users|groups)\h+\H+") { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure sshd Banner is configured" + Test = { + if (sshd -T | grep -Piq -- "^\h*banner\h+\H+") { + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure sshd Ciphers are configured" + Test = { + $script = $scriptPath + "5.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" + Test = { + $script = $scriptPath + "5.1.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure sshd DisableForwarding is enabled" + Test = { + $script = $scriptPath + "5.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure sshd GSSAPIAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.10" + Task = "Ensure sshd HostbasedAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.11" + Task = "Ensure sshd IgnoreRhosts is enabled" + Test = { + $script = $scriptPath + "5.1.11.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.12" + Task = "Ensure sshd KexAlgorithms is configured" + Test = { + $script = $scriptPath + "5.1.12.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.13" + Task = "Ensure sshd LoginGraceTime is configured" + Test = { + $script = $scriptPath + "5.1.13.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.14" + Task = "Ensure sshd LogLevel is configured" + Test = { + $script = $scriptPath + "5.1.14.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.15" + Task = "Ensure sshd MACs are configured" + Test = { + $script = $scriptPath + "5.1.15.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.16" + Task = "Ensure sshd MaxAuthTries is configured" + Test = { + $script = $commonPath + "5.1.16.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.17" + Task = "Ensure sshd MaxSessions is configured" + Test = { + $script = $scriptPath + "5.1.17.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.18" + Task = "Ensure sshd MaxStartups is configured" + Test = { + $script = $scriptPath + "5.1.18.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.19" + Task = "Ensure sshd PermitEmptyPasswords is disabled" + Test = { + $script = $commonPath + "5.1.19.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.20" + Task = "Ensure sshd PermitRootLogin is disabled" + Test = { + $script = $commonPath + "5.1.20.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.21" + Task = "Ensure sshd PermitUserEnvironment is disabled" + Test = { + $script = $commonPath + "5.1.21.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.22" + Task = "Ensure sshd UsePAM is enabled" + Test = { + $script = $commonPath + "5.1.22.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure sudo is installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null sudo + if($test1 -match "ii"){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure sudo commands use pty" + Test = { + $script = $commonPath + "5.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure sudo log file exists" + Test = { + $script = $commonPath + "5.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure users must provide password for privilege escalation" + Test = { + $script = $scriptPath + "5.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure re-authentication for privilege escalation is not disabled globally" + Test = { + $script = $scriptPath + "5.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure sudo authentication timeout is configured correctly" + Test = { + $script = $commonPath + "5.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure access to the su command is restricted" + Test = { + $script = $scriptPath + "5.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.1.1" + Task = "Ensure latest version of pam is installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null libpam-runtime + if($test1 -match "ii"){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.1.2" + Task = "Ensure libpam-modules is installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null libpam-modules + if($test1 -match "ii"){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.1.3" + Task = "Ensure libpam-pwquality is installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null libpam-pwquality + if($test1 -match "ii"){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.2.1" + Task = "Ensure pam_unix module is enabled" + Test = { + $script = $scriptPath + "5.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.2" + Task = "Ensure pam_faillock module is enabled" + Test = { + $script = $scriptPath + "5.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.3" + Task = "Ensure pam_pwquality module is enabled" + Test = { + $script = $scriptPath + "5.3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.4" + Task = "Ensure pam_pwhistory module is enabled" + Test = { + $script = $scriptPath + "5.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.1" + Task = "Ensure password failed attempts lockout is configured" + Test = { + $script = $commonPath + "5.3.3.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.2" + Task = "Ensure password unlock time is configured" + Test = { + $script = $commonPath + "5.3.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.3" + Task = "Ensure password failed attempts lockout includes root account" + Test = { + $script = $commonPath + "5.3.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.1" + Task = "Ensure password number of changed characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.2" + Task = "Ensure minimum password length is configured" + Test = { + $script = $commonPath + "5.3.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.3" + Task = "Ensure password complexity is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "5.3.3.2.4" + Task = "Ensure password same consecutive characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.5" + Task = "Ensure password maximum sequential characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.6" + Task = "Ensure password dictionary check is enabled" + Test = { + $script = $commonPath + "5.3.3.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.7" + Task = "Ensure password quality checking is enforced" + Test = { + $script = $scriptPath + "5.3.3.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.8" + Task = "Ensure password quality is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.2.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.1" + Task = "Ensure password history remember is configured" + Test = { + $script = $scriptPath + "5.3.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.2" + Task = "Ensure password history is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.3" + Task = "Ensure pam_pwhistory includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.1" + Task = "Ensure pam_unix does not include nullok" + Test = { + $script = $commonPath + "5.3.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.2" + Task = "Ensure pam_unix does not include remember" + Test = { + $script = $scriptPath + "5.3.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.3" + Task = "Ensure pam_unix includes a strong password hashing algorithm" + Test = { + $script = $scriptPath + "5.3.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.4" + Task = "Ensure pam_unix includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.1" + Task = "Ensure password expiration is configured" + Test = { + $script = $commonPath + "5.4.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.2" + Task = "Ensure minimum password age is configured" + Test = { + $script = $commonPath + "5.4.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.3" + Task = "Ensure password expiration warning days is configured" + Test = { + $script = $commonPath + "5.4.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.4" + Task = "Ensure strong password hashing algorithm is configured" + Test = { + $script = $commonPath + "5.4.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.5" + Task = "Ensure inactive password lock is configured" + Test = { + $script = $commonPath + "5.4.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.6" + Task = "Ensure all users last password change date is in the past" + Test = { + $path = $scriptPath + "5.5.1.5.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.1" + Task = "Ensure root is the only UID 0 account" + Test = { + $test1 = awk -F: '($3 == 0) { print $1 }' /etc/passwd + if($test1 -match "root"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.2" + Task = "Ensure root is the only GID 0 account" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if($test1 -eq 0){ + return $retCompliant + } + return $retNonCompliant + } + } + [AuditTest] @{ + Id = "5.4.2.3" + Task = "Ensure group root is the only GID 0 group" + Test = { + $script = $commonPath + "5.4.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.4" + Task = "Ensure root password is set" + Test = { + $script = $scriptPath + "5.4.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.5" + Task = "Ensure root PATH Integrity" + Test = { + $path = $scriptPath + "6.2.9.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.6" + Task = "Ensure root user umask is configured" + Test = { + $script = $commonPath + "5.4.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.7" + Task = "Ensure system accounts do not have a valid login shell" + Test = { + $script = $commonPath + "5.4.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.8" + Task = "Ensure accounts without a valid login shell are locked" + Test = { + $script = $commonPath + "5.4.2.8.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.3.1" + Task = "Ensure nologin is not listed in /etc/shells" + Test = { + $script = $commonPath + "5.4.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.2" + Task = "Ensure default user shell timeout is configured" + Test = { + $script = $commonPath + "5.4.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.3" + Task = "Ensure default user umask is configured" + Test = { + $script = $commonPath + "5.4.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + Test = { + $script = $commonPath + "6.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.1" + Task = "Ensure journald service is enabled and active" + Test = { + $test1 = systemctl is-enabled rsyslog + if($test1 -match "enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.2" + Task = "Ensure journald log file access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.1.3" + Task = "Ensure journald log file rotation is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.1.4" + Task = "Ensure journald ForwardToSyslog is disabled" + Test = { + $script = $scriptPath + "6.2.1.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.5" + Task = "Ensure journald Storage is configured" + Test = { + $script = $scriptPath + "6.2.1.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.6" + Task = "Ensure journald Compress is configured" + Test = { + $script = $scriptPath + "6.2.1.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.2.1" + Task = "Ensure systemd-journal-remote is installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null systemd-journal-remote + if($test1 -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.2.1.2.2" + Task = "Ensure systemd-journal-remote authentication is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.2.3" + Task = "Ensure systemd-journal-upload is enabled and active" + Test = { + $test1 = systemctl is-enabled systemd-journal-upload.service + $test2 = systemctl is-active systemd-journal-upload.service + if($test1 -eq "enabled" -and $test2 -match "active"){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "6.2.1.2.4" + Task = "Ensure systemd-journal-remote service is not in use" + Test = { + $script = $scriptPath + "6.2.1.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.2.1" + Task = "Ensure access to all logfiles has been configured" + Test = { + $fileListAll = find /var/log -type f -ls + $fileListFiltered = find /var/log -type f -ls | grep "\-....\-\-\-\-\-" + if($fileListAll.Count -eq $fileListFiltered.Count){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.1" + Task = "Ensure auditd packages are installed" + Test = { + $test1 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null auditd + $test2 = dpkg-query -f='${db:Status-Abbrev}' -W 2>/dev/null audispd-plugins + if($test1 -match "ii" -and $test2 -match "ii"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.2" + Task = "Ensure auditd service is enabled and active" + Test = { + $test1 = systemctl is-enabled auditd + if($test1 -match "enabled"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.3" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $script = $scriptPath + "6.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.1.4" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $script = $scriptPath + "6.3.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + $script = $commonPath + "6.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $script = $commonPath + "6.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep -Pi -- '^\h*disk_full_action\h*=\h*(halt|single)\b' /etc/audit/auditd.conf + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.2.4" + Task = "Ensure system warns when audit logs are low on space" + Test = { + $test1 = grep -Pi -- '^\h*space_left_action\h*=\h*\w+\b' /etc/audit/auditd.conf | awk '{print $3}' + if($test1 -match "^(email|exec|single|halt)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.1" + Task = "Ensure changes to system administration scope is collected" + Test = { + $script = $commonPath + "6.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.2" + Task = "Ensure actions as another user are always logged" + Test = { + $script = $commonPath + "6.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.3" + Task = "Ensure events that modify the sudo log file are collected" + Test = { + $script = $commonPath + "6.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.4" + Task = "Ensure events that modify date and time information are collected" + Test = { + $script = $commonPath + "6.3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $script = $commonPath + "6.3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.6" + Task = "Ensure use of privileged commands are collected" + Test = { + $script = $commonPath + "6.3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.7" + Task = "Ensure unsuccessful file access attempts are collected" + Test = { + $script = $commonPath + "6.3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.8" + Task = "Ensure events that modify user/group information are collected" + Test = { + $script = $commonPath + "6.3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $script = $commonPath + "6.3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.10" + Task = "Ensure successful file system mounts are collected" + Test = { + $script = $commonPath + "6.3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.11" + Task = "Ensure session initiation information is collected" + Test = { + $path1 = $scriptPath + "4.1.3.11_1.sh" + $result11 = bash $path1 | grep "\-w /var/run/utmp -p wa -k session" + $result12 = bash $path1 | grep "\-w /var/log/wtmp -p wa -k session" + $result13 = bash $path1 | grep "\-w /var/log/btmp -p wa -k session" + $path2 = $scriptPath + "4.1.3.11_2.sh" + $result21 = bash $path2 | grep "\-w /var/run/utmp -p wa -k session" + $result22 = bash $path2 | grep "\-w /var/log/wtmp -p wa -k session" + $result23 = bash $path2 | grep "\-w /var/log/btmp -p wa -k session" + if($result11 -ne $null -and $result12 -ne $null -and $result13 -ne $null -and $result21 -ne $null -and $result22 -ne $null -and $result23 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.12" + Task = "Ensure login and logout events are collected" + Test = { + $script = $commonPath + "6.3.3.12.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.13" + Task = "Ensure file deletion events by users are collected" + Test = { + $script = $commonPath + "6.3.3.13.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.14" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $script = $commonPath + "6.3.3.14.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.15" + Task = "Ensure successful and unsuccessful attempts to use the chcon command are recorded" + Test = { + $script = $commonPath + "6.3.3.15.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.16" + Task = "Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.16.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.17" + Task = "Ensure successful and unsuccessful attempts to use the chacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.17.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.18" + Task = "Ensure successful and unsuccessful attempts to use the usermod command are recorded" + Test = { + $script = $commonPath + "6.3.3.18.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.19" + Task = "Ensure kernel module loading unloading and modification is collected" + Test = { + $script = $commonPath + "6.3.3.19.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.20" + Task = "Ensure the audit configuration is immutable" + Test = { + $test1 = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -l + if($test1 -match "-e 2"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.21" + Task = "Ensure the running and on disk configuration is the same" + Test = { + $test1 = augenrules --check + if($test1 -match "/usr/sbin/augenrules: No change"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.4.1" + Task = "Ensure audit log files mode is configured" + Test = { + $script = $scriptPath + "6.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.2" + Task = "Ensure audit log files owner is configured" + Test = { + $script = $scriptPath + "6.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.3" + Task = "Ensure audit log files group owner is configured" + Test = { + $script = $scriptPath + "6.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.4" + Task = "Ensure the audit log file directory mode is configured" + Test = { + $script = $scriptPath + "6.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.5" + Task = "Ensure audit configuration files mode is configured" + Test = { + $script = $commonPath + "6.3.4.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.6" + Task = "Ensure audit configuration files owner is configured" + Test = { + $script = $commonPath + "6.3.4.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.7" + Task = "Ensure audit configuration files group owner is configured" + Test = { + $script = $commonPath + "6.3.4.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.8" + Task = "Ensure audit tools mode is configured" + Test = { + $script = $commonPath + "6.3.4.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.9" + Task = "Ensure audit tools owner is configured" + Test = { + $script = $commonPath + "6.3.4.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.10" + Task = "Ensure audit tools group owner is configured" + Test = { + $test1 = stat -Lc '%G' /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | awk '$1 != "root" {print}' + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.3" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat -c '%#a' /etc/group | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.4" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat -c '%#a' /etc/group- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.5" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat -c '%#a' /etc/shadow | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat -c '%#a' /etc/shadow- | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat -c '%#a' /etc/gshadow | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.8" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat -c '%#a' /etc/gshadow- | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.9" + Task = "Ensure permissions on /etc/shells are configured" + Test = { + $script = $commonPath + "7.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "7.1.10" + Task = "Ensure permissions on /etc/security/opasswd are configured" + Test = { + $script = $commonPath + "7.1.10.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.11" + Task = "Ensure world writable files and directories are secured" + Test = { + #$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*') + #$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + $script = $commonPath + "7.1.11.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.12" + Task = "Ensure no files or directories without an owner and a group exist" + Test = { + $script = $commonPath + "7.1.12.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.13" + Task = "Ensure SUID and SGID files are reviewed" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + $message = "" + foreach($line in $test1){ + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "7.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $test1 = awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}'/etc/passwd + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $test1 = awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $path = $scriptPath + "6.2.3.sh" + $result=bash $path + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.4" + Task = "Ensure shadow group is empty" + Test = { + $test1 = awk -F: '($1=="shadow") {print $NF}' /etc/group + $test2 = awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)" '($4==GID) {print $1}' /etc/passwd + if($test1.Length -eq 0 -and $test2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.5" + Task = "Ensure no duplicate UIDs exist" + Test = { + $path = $scriptPath + "6.2.5.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.6" + Task = "Ensure no duplicate GIDs exist" + Test = { + $path = $scriptPath + "6.2.6.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.7" + Task = "Ensure no duplicate user names exist" + Test = { + $path = $scriptPath + "6.2.7.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.8" + Task = "Ensure no duplicate group names exist" + Test = { + $path = $scriptPath + "6.2.8.sh" + $result=bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "7.2.9" + Task = "Ensure local interactive user home directories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "7.2.10" + Task = "Ensure local interactive user dot files access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} diff --git a/ATAPAuditor/AuditGroups/Enhanced security settings-FBPro-1.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Enhanced security settings-FBPro-1.0#UserRights.ps1 new file mode 100644 index 0000000..850ebb2 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Enhanced security settings-FBPro-1.0#UserRights.ps1 @@ -0,0 +1,184 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "1.0" + Task = "Ensure 'Debug programs' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" ` + -Name "RequireIntegrityActivationAuthenticationLevel" ` + | Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel" + + if ($regValue -ne 0x00000001) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0x00000001" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" ` + -Name "RaiseActivationAuthenticationLevel" ` + | Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel" + + if ($regValue -ne 0x00000002) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0x00000002" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..804f2d9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Google Chrome-CIS-2.0.0#RegistrySettings.ps1 @@ -0,0 +1,2402 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostRequireCurtain" ` + | Select-Object -ExpandProperty "RemoteAccessHostRequireCurtain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Allow gnubby authentication for remote access hosts' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowGnubbyAuth" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowGnubbyAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowUiAccessForRemoteAssistance" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowUiAccessForRemoteAssistance" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2" + Task = "(L1) Ensure 'Continue running background apps when Google Chrome is closed' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BackgroundModeEnabled" ` + | Select-Object -ExpandProperty "BackgroundModeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3" + Task = "(L1) Ensure 'Ask where to save each file before downloading' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "PromptForDownloadLocation" ` + | Select-Object -ExpandProperty "PromptForDownloadLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4" + Task = "(L1) Ensure 'Disable saving browser history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SavingBrowserHistoryDisabled" ` + | Select-Object -ExpandProperty "SavingBrowserHistoryDisabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5" + Task = "(L1) Ensure 'Enable HTTP/0.9 support on non-default ports' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "Http09OnNonDefaultPortsEnabled" ` + | Select-Object -ExpandProperty "Http09OnNonDefaultPortsEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6" + Task = "(L1) Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ComponentUpdatesEnabled" ` + | Select-Object -ExpandProperty "ComponentUpdatesEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.7" + Task = "(L1) Ensure 'Enable deprecated web platform features for a limited time' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\EnableDeprecatedWebPlatformFeatures" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.8" + Task = "(L1) Ensure 'Enable third party software injection blocking' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ThirdPartyBlockingEnabled" ` + | Select-Object -ExpandProperty "ThirdPartyBlockingEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.9" + Task = "(L1) Ensure 'Extend Flash content setting to all content' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RunAllFlashInAllowMode" ` + | Select-Object -ExpandProperty "RunAllFlashInAllowMode" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.10" + Task = "(L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SuppressUnsupportedOSWarning" ` + | Select-Object -ExpandProperty "SuppressUnsupportedOSWarning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.11" + Task = "(L1) Ensure 'Whether online OCSP/CRL checks are performed' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "EnableOnlineRevocationChecks" ` + | Select-Object -ExpandProperty "EnableOnlineRevocationChecks" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.12" + Task = "(L1) Ensure 'Allow WebDriver to Override Incompatible Policies' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "WebDriverOverridesIncompatiblePolicies" ` + | Select-Object -ExpandProperty "WebDriverOverridesIncompatiblePolicies" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.13" + Task = "(L1) Ensure 'Control SafeSites adult content filtering' is set to 'Enabled' with value 'Do not filter sites for adult content' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SafeSitesFilterBehavior" ` + | Select-Object -ExpandProperty "SafeSitesFilterBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.14" + Task = "(L1) Ensure 'Origins or hostname patterns for which restrictions on insecure origins should not apply' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\OverrideSecurityRestrictionsOnInsecureOrigin" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.15" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.16" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of URLs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.17" + Task = "(L1) Ensure 'Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "(L1) Ensure 'Default Flash Setting' is set to 'Enabled' (Click to Play)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultPluginsSetting" ` + | Select-Object -ExpandProperty "DefaultPluginsSetting" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "(L2) Ensure 'Default notification setting' is set to 'Enabled' with 'Do not allow any site to show desktop notifications'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultNotificationsSetting" ` + | Select-Object -ExpandProperty "DefaultNotificationsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3" + Task = "(L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled' with 'Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultWebBluetoothGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebBluetoothGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "(L2) Ensure 'Control use of the WebUSB API' is set to 'Enabled' with 'Do not allow any site to request access to USB devices via the WebUSB API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultWebUsbGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebUsbGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "(L1) Ensure 'Configure extension installation blacklist' is set to 'Enabled' (`"*`" for all extensions)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6.1" + Task = "(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the values 'extension' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionAllowedTypes" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "extension") { + return @{ + Message = "Registry value is '$regValue'. Expected: extension" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6.2" + Task = "(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'hosted_app'specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionAllowedTypes" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "hosted_app") { + return @{ + Message = "Registry value is '$regValue'. Expected: hosted_app" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6.3" + Task = "(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'platform_app' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionAllowedTypes" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "platform_app") { + return @{ + Message = "Registry value is '$regValue'. Expected: platform_app" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6.4" + Task = "(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'theme'specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionAllowedTypes" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "theme") { + return @{ + Message = "Registry value is '$regValue'. Expected: theme" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.7" + Task = "(L2) Ensure 'Configure native messaging blacklist' is set to 'Enabled' (`"*`" for all messaging applications)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\NativeMessagingBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.8" + Task = "(L1) Ensure 'Enable saving passwords to the password manager' is Configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "PasswordManagerEnabled" ` + | Select-Object -ExpandProperty "PasswordManagerEnabled" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.9" + Task = "(L1) Ensure 'Supported authentication schemes' is set to 'Enabled' (ntlm, negotiate)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AuthSchemes" ` + | Select-Object -ExpandProperty "AuthSchemes" + + if ($regValue -ne "ntlm, negotiate") { + return @{ + Message = "Registry value is '$regValue'. Expected: ntlm, negotiate" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.10" + Task = "(L1) Ensure 'Choose how to specify proxy server settings' is not set to 'Enabled' with 'Auto detect proxy settings'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ProxyMode" ` + | Select-Object -ExpandProperty "ProxyMode" + + if ($regValue -ne "auto_detect") { + return @{ + Message = "Registry value is '$regValue'. Expected: auto_detect" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.11" + Task = "(L1) Ensure 'Allow running plugins that are outdated' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AllowOutdatedPlugins" ` + | Select-Object -ExpandProperty "AllowOutdatedPlugins" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.12" + Task = "(L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "CloudPrintProxyEnabled" ` + | Select-Object -ExpandProperty "CloudPrintProxyEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.13" + Task = "(L1) Ensure 'Enable Site Isolation for every site' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SitePerProcess" ` + | Select-Object -ExpandProperty "SitePerProcess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.14" + Task = "(L1) Ensure 'Allow download restrictions' is set to 'Enabled' with 'Block dangerous downloads' specified." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DownloadRestrictions" ` + | Select-Object -ExpandProperty "DownloadRestrictions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.15" + Task = "(L1) Ensure 'Disable proceeding from the Safe Browsing warning page' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DisableSafeBrowsingProceedAnyway" ` + | Select-Object -ExpandProperty "DisableSafeBrowsingProceedAnyway" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.16" + Task = "(L1) Ensure 'Notify a user that a browser relaunch or device restart is recommended or required' is set to 'Enabled' with 'Show a recurring prompt to the user indication that a relaunch is required' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RelaunchNotification" ` + | Select-Object -ExpandProperty "RelaunchNotification" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.17" + Task = "(L1) Ensure 'Set the time period for update notifications' is set to 'Enabled' with '86400000' (1 day) specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RelaunchNotificationPeriod" ` + | Select-Object -ExpandProperty "RelaunchNotificationPeriod" + + if (($regValue -gt 86400000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 86400000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.18" + Task = "(L2) Ensure 'Whether online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RequireOnlineRevocationChecksForLocalAnchors" ` + | Select-Object -ExpandProperty "RequireOnlineRevocationChecksForLocalAnchors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.19" + Task = "(L1) Ensure 'Enable Chrome Cleanup on Windows' is Configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ChromeCleanupEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupEnabled" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.20" + Task = "(L2) Ensure 'Use built-in DNS client' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BuiltInDnsClientEnabled" ` + | Select-Object -ExpandProperty "BuiltInDnsClientEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.21" + Task = "(L1) Ensure 'Update policy override' is set to 'Enabled' with 'Always allow updates (recommended)' or 'Automatic silent updates' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update" ` + -Name "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" ` + | Select-Object -ExpandProperty "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "(L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep cookies for the duration of the session)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultCookiesSetting" ` + | Select-Object -ExpandProperty "DefaultCookiesSetting" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "(L1) Ensure 'Default geolocation setting' is set to 'Enabled' with 'Do not allow any site to track the users' physical location'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "DefaultGeolocationSetting" ` + | Select-Object -ExpandProperty "DefaultGeolocationSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.3" + Task = "(L1) Ensure 'Enable Google Cast' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "EnableMediaRouter" ` + | Select-Object -ExpandProperty "EnableMediaRouter" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.4" + Task = "(L1) Ensure 'Block third party cookies' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BlockThirdPartyCookies" ` + | Select-Object -ExpandProperty "BlockThirdPartyCookies" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.5" + Task = "(L1) Ensure 'Enable reporting of usage and crash-related data' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "MetricsReportingEnabled" ` + | Select-Object -ExpandProperty "MetricsReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.6" + Task = "(L1) Ensure 'Control how Chrome Cleanup reports data to Google' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ChromeCleanupReportingEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.7" + Task = "(L1) Ensure 'Browser sign in settings' is set to 'Enabled' with 'Disabled browser sign-in' specified" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "BrowserSignin" ` + | Select-Object -ExpandProperty "BrowserSignin" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.8" + Task = "(L1) Ensure 'Enable Translate' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "TranslateEnabled" ` + | Select-Object -ExpandProperty "TranslateEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.9" + Task = "(L1) Ensure 'Enable network prediction' is set to 'Enabled' with 'Do not predict actions on any network connection' selected" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "NetworkPredictionOptions" ` + | Select-Object -ExpandProperty "NetworkPredictionOptions" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.10" + Task = "(L1) Ensure 'Enable search suggestions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SearchSuggestEnabled" ` + | Select-Object -ExpandProperty "SearchSuggestEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.11" + Task = "(L1) Ensure 'Enable or disable spell checking web service' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SpellCheckServiceEnabled" ` + | Select-Object -ExpandProperty "SpellCheckServiceEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.12" + Task = "(L1) Ensure 'Enable alternate error pages' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AlternateErrorPagesEnabled" ` + | Select-Object -ExpandProperty "AlternateErrorPagesEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.13" + Task = "(L1) Ensure 'Disable synchronization of data with Google' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SyncDisabled" ` + | Select-Object -ExpandProperty "SyncDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.14" + Task = "(L1) Ensure 'Enable Safe Browsing for trusted sources' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "SafeBrowsingForTrustedSourcesEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingForTrustedSourcesEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.15" + Task = "(L1) Ensure 'Enable URL-keyed anonymized data collection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "UrlKeyedAnonymizedDataCollectionEnabled" ` + | Select-Object -ExpandProperty "UrlKeyedAnonymizedDataCollectionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.16" + Task = "(L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AllowDeletingBrowserHistory" ` + | Select-Object -ExpandProperty "AllowDeletingBrowserHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.1" + Task = "(L1) Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostFirewallTraversal" ` + | Select-Object -ExpandProperty "RemoteAccessHostFirewallTraversal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.2" + Task = "(L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowClientPairing" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowClientPairing" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.3" + Task = "(L1) Ensure 'Enable the use of relay servers by the remote access host' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "RemoteAccessHostAllowRelayedConnection" ` + | Select-Object -ExpandProperty "RemoteAccessHostAllowRelayedConnection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.4" + Task = "(L1) Ensure 'Configure the required domain names for remote access clients' is set to 'Enabled' with a domain defined" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\RemoteAccessHostClientDomainList" ` + -Name "\d+" ` + | Select-Object -ExpandProperty "\d+" + + if ($regValue -notmatch ".*") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.*'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Enable submission of documents to Google Cloud print' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "CloudPrintSubmitEnabled" ` + | Select-Object -ExpandProperty "CloudPrintSubmitEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L1) Ensure 'Import saved passwords from default browser on first run' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "ImportSavedPasswords" ` + | Select-Object -ExpandProperty "ImportSavedPasswords" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Enable AutoFill for credit cards' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AutofillCreditCardEnabled" ` + | Select-Object -ExpandProperty "AutofillCreditCardEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L1) Ensure 'Enable AutoFill for addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome" ` + -Name "AutofillAddressEnabled" ` + | Select-Object -ExpandProperty "AutofillAddressEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 new file mode 100644 index 0000000..a2ce833 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Google Chrome-DISA-V1R15#RegistrySettings.ps1 @@ -0,0 +1,1296 @@ +[AuditTest] @{ + Id = "DTBC-0001" + Task = "Firewall traversal from remote host must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "RemoteAccessHostFirewallTraversal" ` + | Select-Object -ExpandProperty "RemoteAccessHostFirewallTraversal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0003" + Task = "Sites ability for showing desktop notifications must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultNotificationsSetting" ` + | Select-Object -ExpandProperty "DefaultNotificationsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0004" + Task = "Sites ability to show pop-ups must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultPopupsSetting" ` + | Select-Object -ExpandProperty "DefaultPopupsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0002" + Task = "Site tracking users location must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultGeolocationSetting" ` + | Select-Object -ExpandProperty "DefaultGeolocationSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0005" + Task = "Extensions installation must be blacklisted by default." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0006" + Task = "Extensions that are approved for use must be whitelisted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallWhitelist" ` + -Name "ExtensionInstallWhitelist" ` + | Select-Object -ExpandProperty "ExtensionInstallWhitelist" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0009" + Task = "Default search provider must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultSearchProviderEnabled" ` + | Select-Object -ExpandProperty "DefaultSearchProviderEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0011" + Task = "The Password Manager must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PasswordManagerEnabled" ` + | Select-Object -ExpandProperty "PasswordManagerEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0013" + Task = "The running of outdated plugins must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome" ` + -Name "AllowOutdatedPlugins" ` + | Select-Object -ExpandProperty "AllowOutdatedPlugins" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0015" + Task = "Third party cookies must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "BlockThirdPartyCookies" ` + | Select-Object -ExpandProperty "BlockThirdPartyCookies" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0017" + Task = "Background processing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "BackgroundModeEnabled" ` + | Select-Object -ExpandProperty "BackgroundModeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0019" + Task = "3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "Disable3DAPIs" ` + | Select-Object -ExpandProperty "Disable3DAPIs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0020" + Task = "Google Data Synchronization must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SyncDisabled" ` + | Select-Object -ExpandProperty "SyncDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0021" + Task = "The URL protocol schema javascript must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\URLBlacklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "javascript://*") { + return @{ + Message = "Registry value is '$regValue'. Expected: javascript://*" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0023" + Task = "Cloud print sharing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "CloudPrintProxyEnabled" ` + | Select-Object -ExpandProperty "CloudPrintProxyEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0025" + Task = "Network prediction must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "NetworkPredictionOptions" ` + | Select-Object -ExpandProperty "NetworkPredictionOptions" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0026" + Task = "Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "MetricsReportingEnabled" ` + | Select-Object -ExpandProperty "MetricsReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0027" + Task = "Search suggestions must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SearchSuggestEnabled" ` + | Select-Object -ExpandProperty "SearchSuggestEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0029" + Task = "Importing of saved passwords must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ImportSavedPasswords" ` + | Select-Object -ExpandProperty "ImportSavedPasswords" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0030" + Task = "Incognito mode must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "IncognitoModeAvailability" ` + | Select-Object -ExpandProperty "IncognitoModeAvailability" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0037" + Task = "Online revocation checks must be done." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "EnableOnlineRevocationChecks" ` + | Select-Object -ExpandProperty "EnableOnlineRevocationChecks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0038" + Task = "Safe Browsing must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SafeBrowsingEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0039" + Task = "Browser history must be saved." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SavingBrowserHistoryDisabled" ` + | Select-Object -ExpandProperty "SavingBrowserHistoryDisabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0040" + Task = "Default behavior must block webpages from automatically running plugins." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultPluginsSetting" ` + | Select-Object -ExpandProperty "DefaultPluginsSetting" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0051" + Task = "URLs must be whitelisted for plugin use" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PluginsAllowedForUrls" ` + | Select-Object -ExpandProperty "PluginsAllowedForUrls" + + if ($regValue -ne "Suggested: the set or subset of [*.]mil and [*.]gov") { + return @{ + Message = "Registry value is '$regValue'. Expected: Suggested: the set or subset of [*.]mil and [*.]gov" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0052" + Task = "Deletion of browser history must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "AllowDeletingBrowserHistory" ` + | Select-Object -ExpandProperty "AllowDeletingBrowserHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0053" + Task = "Prompt for download location must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "PromptForDownloadLocation" ` + | Select-Object -ExpandProperty "PromptForDownloadLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0064" + Task = "Autoplay must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "AutoplayAllowed" ` + | Select-Object -ExpandProperty "AutoplayAllowed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0056" + Task = "Chrome must be configured to allow only TLS." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SSLVersionMin" ` + | Select-Object -ExpandProperty "SSLVersionMin" + + if ($regValue -ne "tls1.1") { + return @{ + Message = "Registry value is '$regValue'. Expected: tls1.1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0057" + Task = "Safe Browsing Extended Reporting must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "SafeBrowsingExtendedReportingEnabled" ` + | Select-Object -ExpandProperty "SafeBrowsingExtendedReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0058" + Task = "WebUSB must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "DefaultWebUsbGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebUsbGuardSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0060" + Task = "Chrome Cleanup must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ChromeCleanupEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0061" + Task = "Chrome Cleanup reporting must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "ChromeCleanupReportingEnabled" ` + | Select-Object -ExpandProperty "ChromeCleanupReportingEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0063" + Task = "Google Cast must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "EnableMediaRouter" ` + | Select-Object -ExpandProperty "EnableMediaRouter" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0066" + Task = "Anonymized data collection must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "UrlKeyedAnonymizedDataCollectionEnabled" ` + | Select-Object -ExpandProperty "UrlKeyedAnonymizedDataCollectionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBC-0067" + Task = "Collection of WebRTC event logs must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\" ` + -Name "WebRtcEventLogCollectionAllowed" ` + | Select-Object -ExpandProperty "WebRtcEventLogCollectionAllowed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..41af9a6 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 @@ -0,0 +1,4854 @@ +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Enable Google Cast' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EnableMediaRouter" ` + | Select-Object -ExpandProperty "EnableMediaRouter" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.1" + Task = "(L2) Ensure 'Allow read access via the File System API on these sites' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "FileSystemReadAskForUrls" ` + | Select-Object -ExpandProperty "FileSystemReadAskForUrls" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.2" + Task = "(L1) Ensure 'Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SpotlightExperiencesAndRecommendationsEnabled" ` + | Select-Object -ExpandProperty "SpotlightExperiencesAndRecommendationsEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.3" + Task = "(L1) Ensure 'Control use of insecure content exceptions' is set to 'Enabled: Do not allow any site to load mixed content'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultinsecurecontentSetting" ` + | Select-Object -ExpandProperty "DefaultinsecurecontentSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.4" + Task = "(L2) Ensure 'Control use of JavaScript JIT' is set to 'Enabled: Do not allow any site to run JavaScript JIT'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultJavaScriptJitSetting" ` + | Select-Object -ExpandProperty "DefaultJavaScriptJitSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.5" + Task = "(L2) Ensure 'Control use of the File System API for reading' is set to 'Enabled: Don't allow any site to request read access to files and directories'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultFileSystemReadGuardSetting" ` + | Select-Object -ExpandProperty "DefaultFileSystemReadGuardSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.6" + Task = "(L1) Ensure 'Control use of the File System API for writing' is set to 'Enabled: Don't allow any site to request write access to files and directories'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultFileSystemWriteGuardSetting" ` + | Select-Object -ExpandProperty "DefaultFileSystemWriteGuardSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.7" + Task = "(L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled: Do not allow any site to request access to Bluetooth'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultWebBluetoothGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebBluetoothGuardSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.8" + Task = "(L2) Ensure 'Control use of the WebHID API' is set to 'Enabled: Do not allow any site to request access to HID devices via the WebHID API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultWebHidGuardSetting" ` + | Select-Object -ExpandProperty "DefaultWebHidGuardSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.9" + Task = "(L1) Ensure 'Default automatic downloads setting' is set to 'Enabled: Don´t allow any website to perform automatic downloads'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultAutomaticDownloadsSetting" ` + | Select-Object -ExpandProperty "DefaultAutomaticDownloadsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.10" + Task = "(L1) Ensure 'Default geolocation setting' is set to 'Enabled: Don't allow any site to track users physical location'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultGeolocationSetting" ` + | Select-Object -ExpandProperty "DefaultGeolocationSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "(L1) Ensure 'Configure users ability to override feature flags' is set to 'Enabled: Prevent users from overriding feature flags'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "FeatureFlagOverridesControl" ` + | Select-Object -ExpandProperty "FeatureFlagOverridesControl" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6.1" + Task = "(L2) Ensure 'Configure extension management settings' is set to 'Enabled: *'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ExtensionSettings" ` + | Select-Object -ExpandProperty "ExtensionSettings" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.7.1" + Task = "(L1) Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BasicAuthOverHttpEnabled" ` + | Select-Object -ExpandProperty "BasicAuthOverHttpEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "(L1) Ensure 'Allow cross-origin HTTP Basic Auth prompts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AllowCrossOriginAuthPrompt" ` + | Select-Object -ExpandProperty "AllowCrossOriginAuthPrompt" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.7.3" + Task = "(L2) Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AuthSchemes" ` + | Select-Object -ExpandProperty "AuthSchemes" + + if ($regValue -ne "ntlm, negotiate") { + return @{ + Message = "Registry value is '$regValue'. Expected: ntlm, negotiate" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.8.1" + Task = "(L1) Ensure 'Enable the linked account feature' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "LinkedAccountEnabled" ` + | Select-Object -ExpandProperty "LinkedAccountEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.8.2" + Task = "(L1) Ensure 'Guided Switch Enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "GuidedSwitchEnabled" ` + | Select-Object -ExpandProperty "GuidedSwitchEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.13.1" + Task = "(L1) Ensure 'Enable saving passwords to the password manager' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "PasswordManagerEnabled" ` + | Select-Object -ExpandProperty "PasswordManagerEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.14.1" + Task = "(L1) Ensure 'Enable startup boost' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "StartupBoostEnabled" ` + | Select-Object -ExpandProperty "StartupBoostEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.17.1" + Task = "(L1) Ensure 'Specifies whether to allow websites to make requests to more-private network endpoints' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InsecurePrivateNetworkRequestsAllowed" ` + | Select-Object -ExpandProperty "InsecurePrivateNetworkRequestsAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.1" + Task = "(L1) Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SmartScreenEnabled" ` + | Select-Object -ExpandProperty "SmartScreenEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.2" + Task = "(L1) Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SmartScreenPuaEnabled" ` + | Select-Object -ExpandProperty "SmartScreenPuaEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.3" + Task = "(L1) Ensure 'Enable Microsoft Defender SmartScreen DNS requests' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SmartScreenDnsRequestsEnabled" ` + | Select-Object -ExpandProperty "SmartScreenDnsRequestsEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.4" + Task = "(L1) Ensure 'Force Microsoft Defender SmartScreen checks on downloads from trusted sources' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SmartScreenForTrustedDownloadsEnabled" ` + | Select-Object -ExpandProperty "SmartScreenForTrustedDownloadsEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.5" + Task = "(L1) Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverride" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverride" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.20.6" + Task = "(L1) Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverrideForFiles" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverrideForFiles" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.22.1" + Task = "(L1) Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "TyposquattingCheckerEnabled" ` + | Select-Object -ExpandProperty "TyposquattingCheckerEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.23" + Task = "(L1) Ensure 'Ads setting for sites with intrusive ads' is set to 'Enabled: Block ads on sites with intrusive ads'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AdsSettingForIntrusiveAdsSites" ` + | Select-Object -ExpandProperty "AdsSettingForIntrusiveAdsSites" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.24" + Task = "(L1) Ensure 'Allow download restrictions' is set to 'Enabled: Block potentially dangerous downloads'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DownloadRestrictions" ` + | Select-Object -ExpandProperty "DownloadRestrictions" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.25" + Task = "(L2) Ensure 'Allow features to download assets from the Asset Delivery Service' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EdgeAssetDeliveryServiceEnabled" ` + | Select-Object -ExpandProperty "EdgeAssetDeliveryServiceEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.26" + Task = "(L2) Ensure 'Allow file selection dialogs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AllowFileSelectionDialogs" ` + | Select-Object -ExpandProperty "AllowFileSelectionDialogs" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.27" + Task = "(L1) Ensure 'Allow Google Cast to connect to Cast devices on all IP addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "MediaRouterCastAllowAllIPs" ` + | Select-Object -ExpandProperty "MediaRouterCastAllowAllIPs" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.28" + Task = "(L1) Ensure 'Allow import of data from other browsers on each Microsoft Edge launch' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportOnEachLaunch" ` + | Select-Object -ExpandProperty "ImportOnEachLaunch" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.29" + Task = "(L1) Ensure 'Allow importing of autofill form data' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportAutofillFormData" ` + | Select-Object -ExpandProperty "ImportAutofillFormData" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.30" + Task = "(L1) Ensure 'Allow importing of browser settings' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportBrowserSettings" ` + | Select-Object -ExpandProperty "ImportBrowserSettings" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.31" + Task = "(L1) Ensure 'Allow importing of home page settings' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportHomepage" ` + | Select-Object -ExpandProperty "ImportHomepage" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.32" + Task = "(L1) Ensure 'Allow importing of payment info' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportPaymentInfo" ` + | Select-Object -ExpandProperty "ImportPaymentInfo" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.33" + Task = "(L1) Ensure 'Allow importing of saved passwords' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportSavedPasswords" ` + | Select-Object -ExpandProperty "ImportSavedPasswords" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.34" + Task = "(L1) Ensure 'Allow importing of search engine settings' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ImportSearchEngine" ` + | Select-Object -ExpandProperty "ImportSearchEngine" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.35" + Task = "(L1) Ensure 'Allow managed extensions to use the Enterprise Hardware Platform API' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EnterpriseHardwarePlatformAPIEnabled" ` + | Select-Object -ExpandProperty "EnterpriseHardwarePlatformAPIEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.36" + Task = "(L2) Ensure 'Allow or block audio capture' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AudioCaptureAllowed" ` + | Select-Object -ExpandProperty "AudioCaptureAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.37" + Task = "(L2) Ensure 'Allow or block video capture' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "VideoCaptureAllowed" ` + | Select-Object -ExpandProperty "VideoCaptureAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.38" + Task = "(L2) Ensure 'Allow or deny screen capture' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ScreenCaptureAllowed" ` + | Select-Object -ExpandProperty "ScreenCaptureAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.39" + Task = "(L1) Ensure 'Allow personalization of ads, Microsoft Edge, search, news and other Microsoft services by sending browsing history, favorites and collections, usage and other browsing data to Microsoft' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "PersonalizationReportingEnabled" ` + | Select-Object -ExpandProperty "PersonalizationReportingEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.40" + Task = "(L1) Ensure 'Allow queries to a Browser Network Time service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BrowserNetworkTimeQueriesEnabled" ` + | Select-Object -ExpandProperty "BrowserNetworkTimeQueriesEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.41" + Task = "(L1) Ensure 'Allow remote debugging' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RemoteDebuggingAllowed" ` + | Select-Object -ExpandProperty "RemoteDebuggingAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.42" + Task = "(L1) Ensure 'Allow the audio sandbox to run' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AudioSandboxEnabled" ` + | Select-Object -ExpandProperty "AudioSandboxEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.43" + Task = "(L2) Ensure 'Allow unconfigured sites to be reloaded in Internet Explorer mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InternetExplorerIntegrationReloadInIEModeAllowed" ` + | Select-Object -ExpandProperty "InternetExplorerIntegrationReloadInIEModeAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.44" + Task = "(L1) Ensure 'Allow user feedback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "UserFeedbackAllowed" ` + | Select-Object -ExpandProperty "UserFeedbackAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.45" + Task = "(L2) Ensure 'Allow users to open files using the ClickOnce protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ClickOnceEnabled" ` + | Select-Object -ExpandProperty "ClickOnceEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.46" + Task = "(L2) Ensure 'Allow users to open files using the DirectInvoke protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DirectInvokeEnabled" ` + | Select-Object -ExpandProperty "DirectInvokeEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.47" + Task = "(L2) Ensure 'Allow users to proceed from the HTTPS warning page' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SSLErrorOverrideAllowed" ` + | Select-Object -ExpandProperty "SSLErrorOverrideAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.48" + Task = "(L1) Ensure 'Allow websites to query for available payment methods' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "PaymentMethodQueryEnabled" ` + | Select-Object -ExpandProperty "PaymentMethodQueryEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.49" + Task = "(L2) Ensure 'AutoLaunch Protocols Component Enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AutoLaunchProtocolsComponentEnabled" ` + | Select-Object -ExpandProperty "AutoLaunchProtocolsComponentEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.50" + Task = "(L1) Ensure 'Automatically import another browser's data and settings at first run' is set to 'Enabled: Disables automatic import, and the import section of the first-run experience is skipped'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AutoImportAtFirstRun" ` + | Select-Object -ExpandProperty "AutoImportAtFirstRun" + + if (($regValue -ne 4)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.51" + Task = "(L2) Ensure 'Block third party cookies' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BlockThirdPartyCookies" ` + | Select-Object -ExpandProperty "BlockThirdPartyCookies" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.52" + Task = "(L1) Ensure 'Block tracking of users' web-browsing activity' is set to 'Enabled: Balanced (Blocks harmful trackers and trackers from sites user has not visited; content and ads will be less personalized)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "TrackingPrevention" ` + | Select-Object -ExpandProperty "TrackingPrevention" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.53" + Task = "(L2) Ensure 'Browser sign-in settings' is set to 'Enabled: Disable browser sign-in'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BrowserSignin" ` + | Select-Object -ExpandProperty "BrowserSignin" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.54" + Task = "(L1) Ensure 'Clear browsing data when Microsoft Edge closes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ClearBrowsingDataOnExit" ` + | Select-Object -ExpandProperty "ClearBrowsingDataOnExit" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.55" + Task = "(L1) Ensure 'Clear cached images and files when Microsoft Edge closes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ClearCachedImagesAndFilesOnExit" ` + | Select-Object -ExpandProperty "ClearCachedImagesAndFilesOnExit" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.56" + Task = "(L1) Ensure 'Clear history for IE and IE mode every time you exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InternetExplorerModeclearDataOnExitEnabled" ` + | Select-Object -ExpandProperty "InternetExplorerModeclearDataOnExitEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.57" + Task = "(L1) Ensure 'Configure browser process code integrity guard setting' is set to 'Enabled: Enable code integrity guard enforcement in the browser process'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "browserCodeIntegritySetting" ` + | Select-Object -ExpandProperty "browserCodeIntegritySetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.58" + Task = "(L1) Ensure 'Configure InPrivate mode availability' is set to 'Enabled: InPrivate mode disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InPrivateModeAvailability" ` + | Select-Object -ExpandProperty "InPrivateModeAvailability" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.59" + Task = "(L2) Ensure 'Configure Online Text To Speech' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ConfigureOnlineTextToSpeech" ` + | Select-Object -ExpandProperty "ConfigureOnlineTextToSpeech" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.60" + Task = "(L1) Ensure 'Configure Related Matches in Find on Page' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RelatedMatchesCloudServiceEnabled" ` + | Select-Object -ExpandProperty "RelatedMatchesCloudServiceEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.61" + Task = "(L2) Ensure 'Configure Speech Recognition' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SpeechRecognitionEnabled" ` + | Select-Object -ExpandProperty "SpeechRecognitionEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.62" + Task = "(L1) Ensure 'Configure the list of names that will bypass the HSTS policy check' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "HSTSPolicyBypassList" ` + | Select-Object -ExpandProperty "HSTSPolicyBypassList" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 A" + Task = "(L1) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (passwords)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "passwords") { + return @{ + Message = "Registry value is '$regValue'. Expected: passwords" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 B" + Task = "(L2) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (settings)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "settings") { + return @{ + Message = "Registry value is '$regValue'. Expected: settings" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 C" + Task = " (L2) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (favorites)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "favorites") { + return @{ + Message = "Registry value is '$regValue'. Expected: favorites" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 D" + Task = "(L2) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (addressesAndMore)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "addressesAndMore") { + return @{ + Message = "Registry value is '$regValue'. Expected: addressesAndMore" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 E" + Task = "(L2) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (extensions)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "5" ` + | Select-Object -ExpandProperty "5" + + if ($regValue -ne "extensions") { + return @{ + Message = "Registry value is '$regValue'. Expected: extensions" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.63 F" + Task = "(L2) Ensure 'Configure the list of types that are excluded from synchronization' is set to 'Enabled' (collections)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\SyncTypesListDisabled" ` + -Name "6" ` + | Select-Object -ExpandProperty "6" + + if ($regValue -ne "collections") { + return @{ + Message = "Registry value is '$regValue'. Expected: collections" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.64" + Task = "(L1) Ensure 'Configure the Share experience' is set to 'Enabled: Don't allow using the Share experience'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ConfigureShare" ` + | Select-Object -ExpandProperty "ConfigureShare" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.65" + Task = "(L1) Ensure 'Configure whether form data and HTTP headers will be sent when entering or exiting Internet Explorer mode' is set to 'Enabled: Do not send form data or headers'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InternetExplorerIntegrationComplexNavDataTypes" ` + | Select-Object -ExpandProperty "InternetExplorerIntegrationComplexNavDataTypes" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.66" + Task = "(L1) Ensure 'Continue running background apps after Microsoft Edge closes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BackgroundModeEnabled" ` + | Select-Object -ExpandProperty "BackgroundModeEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.67" + Task = "(L1) Ensure 'Control communication with the Experimentation and Configuration Service' is set to 'Enabled: Disable communication with the Experimentation and Configuration Service'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ExperimentationAndConfigurationServiceControl" ` + | Select-Object -ExpandProperty "ExperimentationAndConfigurationServiceControl" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.68" + Task = "(L2) Ensure 'Control use of the Headless Mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "HeadlessModeEnabled" ` + | Select-Object -ExpandProperty "HeadlessModeEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.69" + Task = "(L2) Ensure 'Control use of the Serial API' is set to 'Enable: Do not allow any site to request access to serial ports via the Serial API'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultSerialGuardSetting" ` + | Select-Object -ExpandProperty "DefaultSerialGuardSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.70" + Task = "(L2) Ensure 'Control where security restrictions on insecure origins apply' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "OverrideSecurityRestrictionsOnInsecureOriginDesc" ` + | Select-Object -ExpandProperty "OverrideSecurityRestrictionsOnInsecureOriginDesc" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.71" + Task = "(L2) Ensure 'Default sensor setting' is set to 'Enabled: Do not allow any site to access sensors'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DefaultSensorsSetting" ` + | Select-Object -ExpandProperty "DefaultSensorsSetting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.72" + Task = "(L1) Ensure 'Delete old browser data on migration' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DeleteDataOnMigration" ` + | Select-Object -ExpandProperty "DeleteDataOnMigration" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.73" + Task = "(L1) Ensure 'Disable saving browser history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SavingBrowserHistoryDisabled" ` + | Select-Object -ExpandProperty "SavingBrowserHistoryDisabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.74" + Task = "(L1) Ensure 'Disable synchronization of data using Microsoft sync services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SyncDisabled" ` + | Select-Object -ExpandProperty "SyncDisabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.75" + Task = "(L1) Ensure 'DNS interception checks enabled' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DNSInterceptionChecksEnabled" ` + | Select-Object -ExpandProperty "DNSInterceptionChecksEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.76" + Task = "(L1) Ensure 'Enable AutoFill for addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AutofillAddressEnabled" ` + | Select-Object -ExpandProperty "AutofillAddressEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.77" + Task = "(L1) Ensure 'Enable AutoFill for payment instructions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AutofillCreditCardEnabled" ` + | Select-Object -ExpandProperty "AutofillCreditCardEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.78" + Task = "(L1) Ensure 'Enable browser legacy extension point blocking' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "BrowserLegacyExtensionPointsBlockingEnabled" ` + | Select-Object -ExpandProperty "BrowserLegacyExtensionPointsBlockingEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.79" + Task = "(L1) Ensure 'Enable component updates in Microsoft Edge' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ComponentUpdatesEnabled" ` + | Select-Object -ExpandProperty "ComponentUpdatesEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.80" + Task = "(L1) Ensure 'Enable CryptoWallet feature' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "CryptoWalletEnabled" ` + | Select-Object -ExpandProperty "CryptoWalletEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.81" + Task = "(L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AllowDeletingBrowserHistory" ` + | Select-Object -ExpandProperty "AllowDeletingBrowserHistory" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.82" + Task = "(L1) Ensure 'Enable Discover access to page contents for AAD profiles' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DiscoverPageContextenabled" ` + | Select-Object -ExpandProperty "DiscoverPageContextenabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.83" + Task = "(L2) Ensure 'Enable Drop feature in Microsoft Edge' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EdgeEdropenabled" ` + | Select-Object -ExpandProperty "EdgeEdropenabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.84" + Task = "(L1) Ensure 'Enable Follow service in Microsoft Edge' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EdgeFollowEnabled" ` + | Select-Object -ExpandProperty "EdgeFollowEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.85" + Task = "(L1) Ensure 'Enable globally scoped HTTP auth cache' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "GloballyScopeHTTPAuthCacheEnabled" ` + | Select-Object -ExpandProperty "GloballyScopeHTTPAuthCacheEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.86" + Task = "(L2) Ensure 'Enable guest mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BrowserGuestModeEnabled" ` + | Select-Object -ExpandProperty "BrowserGuestModeEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.87" + Task = "(L1) Ensure 'Enable network prediction' is set to 'Enabled: Don't predict network actions on any network connection'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "NetworkPredictionOptions" ` + | Select-Object -ExpandProperty "NetworkPredictionOptions" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.88" + Task = "(L1) Ensure 'Enable profile creation from the Identity flyout menu or the Settings page' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "BrowserAddProfileEnabled" ` + | Select-Object -ExpandProperty "BrowserAddProfileEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.89" + Task = "(L1) Ensure 'Enable renderer code integrity' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RendererCodeIntegrityEnabled" ` + | Select-Object -ExpandProperty "RendererCodeIntegrityEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.90" + Task = "(L1) Ensure 'Enable resolution of navigation errors using a web service' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ResolveNavigationErrorsUseWebService" ` + | Select-Object -ExpandProperty "ResolveNavigationErrorsUseWebService" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.91" + Task = "(L2) Ensure 'Enable Search suggestions' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SearchSuggestEnabled" ` + | Select-Object -ExpandProperty "SearchSuggestEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.92" + Task = "(L1) Ensure 'Enable security warnings for command-line flags' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "CommandLineFlagSecurityWarningsEnabled" ` + | Select-Object -ExpandProperty "CommandLineFlagSecurityWarningsEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.93" + Task = "(L1) Ensure 'Enable site isolation for every site' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SitePerProcess" ` + | Select-Object -ExpandProperty "SitePerProcess" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.94" + Task = "(L2) Ensure 'Enable Translate' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "TranslateEnabled" ` + | Select-Object -ExpandProperty "TranslateEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.95" + Task = "(L1) Ensure 'Enable use of ephemeral profiles' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ForceEphemeralProfiles" ` + | Select-Object -ExpandProperty "ForceEphemeralProfiles" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.96" + Task = "(L1) Ensure 'Enable warnings for insecure forms' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InsecureFormsWarningsEnabled" ` + | Select-Object -ExpandProperty "InsecureFormsWarningsEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.97" + Task = "(L2) Ensure 'Enforce Bing SafeSearch' is set to 'Enabled: Configure moderate search restrictions in Bing'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ForceBingSafeSearch" ` + | Select-Object -ExpandProperty "ForceBingSafeSearch" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.98" + Task = "(L2) Ensure 'Enforce Google SafeSearch' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ForceGoogleSafeSearch" ` + | Select-Object -ExpandProperty "ForceGoogleSafeSearch" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.99" + Task = "(L1) Ensure 'Enhance the security state in Microsoft Edge' is set to 'Enabled: Balanced mode'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EnhanceSecurityMode" ` + | Select-Object -ExpandProperty "EnhanceSecurityMode" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.100" + Task = "(L2) Ensure 'Enhanced Security Mode configuration for Intranet zone sites' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EnhanceSecurityModeBypassIntranet" ` + | Select-Object -ExpandProperty "EnhanceSecurityModeBypassIntranet" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.101" + Task = "(L1) Ensure 'Hide the First-run experience and splash screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "HideFirstRunExperience" ` + | Select-Object -ExpandProperty "HideFirstRunExperience" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.102" + Task = "(L1) Ensure 'In-app support Enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InAppSupportEnabled" ` + | Select-Object -ExpandProperty "InAppSupportEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.103" + Task = "(L2) Ensure 'Let users snip a Math problem and get the solution with a step-by-step explanation in Microsoft Edge' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "MathSolverEnabled" ` + | Select-Object -ExpandProperty "MathSolverEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.104" + Task = "(L2) Ensure 'Live captions allowed' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "LiveCaptionsAllowed" ` + | Select-Object -ExpandProperty "LiveCaptionsAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.105" + Task = "(L1) Ensure 'Manage exposure of local IP addresses by WebRTC' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\WebRtcLocalIpsAllowedUrls" ` + -Name "Default" ` + | Select-Object -ExpandProperty "Default" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.106" + Task = "(L1) Ensure 'Notify a user that a browser restart is recommended or required for pending updates' is set to 'Enabled: Required - Show a recurring prompt to the user indicating that a restart is required'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RelaunchNotification" ` + | Select-Object -ExpandProperty "RelaunchNotification" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.107" + Task = "(L1) Ensure 'Restrict exposure of local IP address by WebRTC' is set to 'Enabled: Allow public interface over http default route. This doesn't expose the local IP address'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "WebRtcLocalhostIpHandling" ` + | Select-Object -ExpandProperty "WebRtcLocalhostIpHandling" + + if ($regValue -ne "default_public_interface_only") { + return @{ + Message = "Registry value is '$regValue'. Expected: default_public_interface_only" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.108" + Task = "(L1) Ensure 'Set disk cache size, in bytes' is set to 'Enabled: 250609664'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DiskCacheSize" ` + | Select-Object -ExpandProperty "DiskCacheSize" + + if (($regValue -ne 250609664)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 250609664" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.109" + Task = "(L1) Ensure 'Set the time period for update notifications' is set to 'Enabled: 86400000'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RelaunchNotificationPeriod" ` + | Select-Object -ExpandProperty "RelaunchNotificationPeriod" + + if (($regValue -ne 86400000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 86400000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.110" + Task = "(L1) Ensure 'Shopping in Microsoft Edge Enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "EdgeShoppingAssistantEnabled" ` + | Select-Object -ExpandProperty "EdgeShoppingAssistantEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.111" + Task = "(L2) Ensure 'Show an `"Always open`" checkbox in external protocol dialog' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ExternalProtocolDialogShowAlwaysOpenCheckbox" ` + | Select-Object -ExpandProperty "ExternalProtocolDialogShowAlwaysOpenCheckbox" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.112" + Task = "(L1) Ensure 'Show Microsoft Rewards experiences' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "ShowMicrosoftRewards" ` + | Select-Object -ExpandProperty "ShowMicrosoftRewards" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.113" + Task = "(L1) Ensure 'Show the Reload in Internet Explorer mode button in the toolbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "InternetExplorerModeToolbarButtonEnabled" ` + | Select-Object -ExpandProperty "InternetExplorerModeToolbarButtonEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.114" + Task = "(L1) Ensure 'Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SharedArrayBufferUnrestrictedAccessAllowed" ` + | Select-Object -ExpandProperty "SharedArrayBufferUnrestrictedAccessAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.115" + Task = "(L2) Ensure 'Specify if online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "RequireOnlineRevocationChecksForLocalAnchors" ` + | Select-Object -ExpandProperty "RequireOnlineRevocationChecksForLocalAnchors" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.116" + Task = "(L2) Ensure 'Spell checking provided by Microsoft Editor' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "MicrosoftEditorProofingEnabled" ` + | Select-Object -ExpandProperty "MicrosoftEditorProofingEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.117" + Task = "(L1) Ensure 'Standalone Sidebar Enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "StandaloneHubsSidebarEnabled" ` + | Select-Object -ExpandProperty "StandaloneHubsSidebarEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.118" + Task = "(L1) Ensure 'Suggest similar pages when a webpage can’t be found' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "AlternateErrorPagesEnabled" ` + | Select-Object -ExpandProperty "AlternateErrorPagesEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.119" + Task = "(L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SuppressUnsupportedOSWarning" ` + | Select-Object -ExpandProperty "SuppressUnsupportedOSWarning" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.120" + Task = "(L2) Ensure 'Tab Services enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "TabservicesEnabled" ` + | Select-Object -ExpandProperty "TabservicesEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.121" + Task = "(L2) Ensure 'Text prediction enabled by default' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "TextPredictionEnabled" ` + | Select-Object -ExpandProperty "TextPredictionEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.122" + Task = "(L1) Ensure 'Wait for Internet Explorer mode tabs to completely unload before ending the browser session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "InternetExplorerIntegrationAlwayswaitForUnload" ` + | Select-Object -ExpandProperty "InternetExplorerIntegrationAlwayswaitForUnload" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "(L1) Ensure 'Update policy override default' is set to 'Enabled: Always allow updates (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate" ` + -Name "UpdateDefault" ` + | Select-Object -ExpandProperty "UpdateDefault" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "(L1) Ensure 'Auto-update check period override' is set to any value except '0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EdgeUpdate" ` + -Name "AutoUpdateCheckPeriodMinutes" ` + | Select-Object -ExpandProperty "AutoUpdateCheckPeriodMinutes" + + if (($regValue -lt 1 -and $regValue -gt 43200)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 43200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Edge-Microsoft-117#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Edge-Microsoft-117#RegistrySettings.ps1 new file mode 100644 index 0000000..cc37be1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Edge-Microsoft-117#RegistrySettings.ps1 @@ -0,0 +1,684 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "Ensure 'Enable site isolation for every site' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SitePerProcess" ` + | Select-Object -ExpandProperty "SitePerProcess" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "Ensure 'Supported authentication schemes' is set to 'ntlm, negotiate'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "AuthSchemes" ` + | Select-Object -ExpandProperty "AuthSchemes" + + if ($regValue -notmatch "^(ntlm\s*,\s*negotiate|negotiate\s*,\s*ntlm)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: ntlm, negotiate" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "Ensure 'Allow user-level native messaging hosts (installed without admin permissions)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "NativeMessagingUserLevelHosts" ` + | Select-Object -ExpandProperty "NativeMessagingUserLevelHosts" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SmartScreenEnabled" ` + | Select-Object -ExpandProperty "SmartScreenEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverride" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverride" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverrideForFiles" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverrideForFiles" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "Ensure 'Allow users to proceed from the HTTPS warning page' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SSLErrorOverrideAllowed" ` + | Select-Object -ExpandProperty "SSLErrorOverrideAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.8" + Task = "Ensure 'Configure Microsoft Defender SmartScreen to block potentially unwanted apps' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SmartScreenPuaEnabled" ` + | Select-Object -ExpandProperty "SmartScreenPuaEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.9" + Task = "Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "BasicAuthOverHttpEnabled" ` + | Select-Object -ExpandProperty "BasicAuthOverHttpEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.10" + Task = "Ensure 'Allow unconfigured sites to be reloaded in Internet Explorer mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "InternetExplorerIntegrationReloadInIEModeAllowed" ` + | Select-Object -ExpandProperty "InternetExplorerIntegrationReloadInIEModeAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.11" + Task = "Ensure 'Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "SharedArrayBufferUnrestrictedAccessAllowed" ` + | Select-Object -ExpandProperty "SharedArrayBufferUnrestrictedAccessAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.12" + Task = "Ensure 'Specifies whether to allow websites to make requests to more-private network endpoints' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "InsecurePrivateNetworkRequestsAllowed" ` + | Select-Object -ExpandProperty "InsecurePrivateNetworkRequestsAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.13" + Task = "Ensure 'Enable browser legacy extension point blocking' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "BrowserLegacyExtensionPointsBlockingEnabled" ` + | Select-Object -ExpandProperty "BrowserLegacyExtensionPointsBlockingEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.14" + Task = "Ensure 'Show the Reload in Internet Explorer mode button in the toolbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "InternetExplorerModeToolbarButtonEnabled" ` + | Select-Object -ExpandProperty "InternetExplorerModeToolbarButtonEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.15" + Task = "Ensure 'Configure Edge TyposquattingChecker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "TyposquattingCheckerEnabled" ` + | Select-Object -ExpandProperty "TyposquattingCheckerEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.16" + Task = "Ensure 'Enhance images enabled' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "EdgeEnhanceImagesEnabled" ` + | Select-Object -ExpandProperty "EdgeEnhanceImagesEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.17" + Task = "Ensure 'Force WebSQL to be enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "WebSQLAccess" ` + | Select-Object -ExpandProperty "WebSQLAccess" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.18" + Task = "Ensure 'Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed" ` + | Select-Object -ExpandProperty "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.20" + Task = "Block all extensions not on allow list" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..7962c4b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings.ps1 @@ -0,0 +1,5650 @@ +[AuditTest] @{ + Id = "1.1" + Task = "Set 'Turn on Enhanced Protected Mode' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2" + Task = "Set 'Allow software to run or install even if the signature is invalid' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3" + Task = "Set 'Prevent Bypassing SmartScreen Filter Warnings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4" + Task = "Set 'Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5" + Task = "Configure 'Do not allow users to enable or disable add-ons'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoExtensionManagement" ` + | Select-Object -ExpandProperty "NoExtensionManagement" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.6" + Task = "Set 'Disable Save this program to disk option' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoSelectDownloadDir" ` + | Select-Object -ExpandProperty "NoSelectDownloadDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Set 'Prevent per-user installation of ActiveX controls' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "Set 'Specify use of ActiveX Installer Service for installation of ActiveX controls' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3" + Task = "Set 'Turn on ActiveX Filtering' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering" ` + -Name "IsEnabled" ` + | Select-Object -ExpandProperty "IsEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "Set 'Turn off ActiveX opt-in prompt' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "NoFirsttimeprompt" ` + | Select-Object -ExpandProperty "NoFirsttimeprompt" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "Set 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "Configure 'Prevent deleting websites that the user has visited'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanHistory" ` + | Select-Object -ExpandProperty "CleanHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "Configure 'Prevent Deleting Cookies'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanCookies" ` + | Select-Object -ExpandProperty "CleanCookies" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.3" + Task = "Set 'Disable `"Configuring History`"' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "History" ` + | Select-Object -ExpandProperty "History" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.4" + Task = "Set 'Days to keep pages in History' to '40'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" ` + -Name "DaysToKeep" ` + | Select-Object -ExpandProperty "DaysToKeep" + + if (($regValue -lt 40)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 40" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.5" + Task = "Configure 'Prevent Deleting Temporary Internet Files'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanTIF" ` + | Select-Object -ExpandProperty "CleanTIF" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.6" + Task = "Configure 'Allow deleting browsing history on exit'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanBrowsingHistoryOnExit" ` + | Select-Object -ExpandProperty "CleanBrowsingHistoryOnExit" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.7" + Task = "Set 'Prevent access to Delete Browsing History' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "DisableDeleteBrowsingHistory" ` + | Select-Object -ExpandProperty "DisableDeleteBrowsingHistory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.8" + Task = "Configure 'Turn off InPrivate Browsing'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "EnableInPrivateBrowsing" ` + | Select-Object -ExpandProperty "EnableInPrivateBrowsing" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1" + Task = "Configure 'URL to be displayed for updates:'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Update_Check_Page" ` + | Select-Object -ExpandProperty "Update_Check_Page" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.2" + Task = "Set 'Update check interval (in days):' to 'Enabled:30'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Update_Check_Interval" ` + | Select-Object -ExpandProperty "Update_Check_Interval" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3" + Task = "Configure 'Automatically check for Internet Explorer updates'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "NoUpdateCheck" ` + | Select-Object -ExpandProperty "NoUpdateCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.4" + Task = "Configure 'Install new versions of Internet Explorer automatically'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "EnableAutoUpgrade" ` + | Select-Object -ExpandProperty "EnableAutoUpgrade" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "Set 'Turn off Encryption Support' to 'Use TLS 1.1 and TLS 1.2'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "Set 'Check for server certificate revocation' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "Set 'Check for signatures on downloaded programs' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "Set 'Turn on certificate address mismatch warning' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "Set 'Prevent ignoring certificate errors' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "Set 'Disable changing certificate settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Certificates" ` + | Select-Object -ExpandProperty "Certificates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6.1" + Task = "Set 'Turn off browser geolocation' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Geolocation" ` + -Name "PolicyDisableGeolocation" ` + | Select-Object -ExpandProperty "PolicyDisableGeolocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6.2" + Task = "Configure 'Turn off URL Suggestions'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6.3" + Task = "Configure 'Prevent participation in the Customer Experience Improvement Program'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\SQM" ` + -Name "DisableCustomerImprovementProgram" ` + | Select-Object -ExpandProperty "DisableCustomerImprovementProgram" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6.4" + Task = "Configure 'Turn on Suggested Sites'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Suggested Sites" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.1" + Task = "Set 'Restrict ActiveX Install' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplorer.exe" ` + | Select-Object -ExpandProperty "iexplorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.2" + Task = "Set 'Scripted Window Security Restrictions' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.3" + Task = "Set 'Mime Sniffing Safety Feature' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.4" + Task = "Set 'Notification bar' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.5" + Task = "Set 'MK Protocol Security Restriction' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplorer.exe" ` + | Select-Object -ExpandProperty "iexplorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.6" + Task = "Set 'Consistent Mime Handling' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.7" + Task = "Set 'Restrict File Download' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplorer.exe" ` + | Select-Object -ExpandProperty "iexplorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7.8" + Task = "Set 'Protection From Zone Elevation' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.2" + Task = "Set 'Allow paste operations via script' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.3" + Task = "Set 'Protected Mode' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.4" + Task = "Set 'Turn on Cross-Site Scripting (XSS) Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.5" + Task = "Set 'Run .NET Framework-reliant components signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.6" + Task = "Set 'Use Pop-up Blocker' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.7" + Task = "Set 'Scriptlets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.8" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.9" + Task = "Set 'Allow drag and drop or copy and paste files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.10" + Task = "Set 'Run .NET Framework-reliant components not signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.11" + Task = "Set 'Internet Explorer web browser control' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.12" + Task = "Set 'Download unsigned ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.13" + Task = "Set 'Download signed ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.14" + Task = "Set 'Allow font downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.15" + Task = "Set 'Launching programs and unsafe files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.16" + Task = "Set 'Automatic prompting for file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.17" + Task = "Set 'Allow installation of desktop items' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1800" ` + | Select-Object -ExpandProperty "1800" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.18" + Task = "Set 'XAML Files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.19" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.20" + Task = "Set 'Enable MIME Sniffing' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2100" ` + | Select-Object -ExpandProperty "2100" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.21" + Task = "Set 'Logon options' to 'Enabled:Prompt for user name and password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.22" + Task = "Set 'Access data sources across domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.23" + Task = "Set 'Status bar updates via script' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.24" + Task = "Set 'Include local directory path when uploading files to a server' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.25" + Task = "Set 'Userdata persistence' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.26" + Task = "Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.27" + Task = "Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.28" + Task = "Set 'Enable dragging of content from different domains across windows' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.29" + Task = "Set 'Allow script-initiated windows without size or position constraints' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.30" + Task = "Set 'Launching applications and files in an IFRAME' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.31" + Task = "Set 'Software channel permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1E05" ` + | Select-Object -ExpandProperty "1E05" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.32" + Task = "Configure 'First-Run Opt-In'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1208" ` + | Select-Object -ExpandProperty "1208" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.33" + Task = "Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1.34" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.1" + Task = "Set 'Java permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.2" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.3" + Task = "Set 'Intranet Sites: Include all network paths (UNCs)' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.2.4" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.2" + Task = "Set 'Allow drag and drop or copy and paste files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.3" + Task = "Set 'Download signed ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.4" + Task = "Set 'Script ActiveX controls marked safe for scripting' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.5" + Task = "Set 'Allow active scripting' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.6" + Task = "Set 'Turn on Cross-Site Scripting (XSS) Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.7" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.8" + Task = "Set 'Run .NET Framework-reliant components signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.9" + Task = "Set 'Allow paste operations via script' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.10" + Task = "Set 'Protected Mode' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.11" + Task = "Set 'Allow installation of desktop items' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1800" ` + | Select-Object -ExpandProperty "1800" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.12" + Task = "Set 'Launching programs and unsafe files' to 'Enabled:Prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.13" + Task = "Set 'Automatic prompting for file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.14" + Task = "Set 'XAML Files' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.15" + Task = "Set 'Allow font downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.16" + Task = "Set 'Enable MIME Sniffing' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2100" ` + | Select-Object -ExpandProperty "2100" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.17" + Task = "Set 'Internet Explorer web browser control' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.18" + Task = "Set 'Allow Binary and Script Behaviors' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.19" + Task = "Set 'Scripting of Java applets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.20" + Task = "Set 'Use Pop-up Blocker' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.21" + Task = "Set 'Download unsigned ActiveX controls' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.22" + Task = "Set 'Scriptlets' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.23" + Task = "Set 'Allow file downloads' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.24" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.25" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.26" + Task = "Set 'Run ActiveX controls and plugins' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.27" + Task = "Set 'Run .NET Framework-reliant components not signed with Authenticode' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.28" + Task = "Set 'Logon options' to 'Enabled:Anonymous logon'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.29" + Task = "Set 'Allow script-initiated windows without size or position constraints' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.30" + Task = "Set 'Allow META REFRESH' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.31" + Task = "Set 'Userdata persistence' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.32" + Task = "Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.33" + Task = "Set 'Software channel permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1E05" ` + | Select-Object -ExpandProperty "1E05" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.34" + Task = "Set 'Include local directory path when uploading files to a server' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.35" + Task = "Set 'Enable dragging of content from different domains within a window' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.36" + Task = "Set 'Status bar updates via script' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.37" + Task = "Set 'Access data sources across domains' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.38" + Task = "Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.39" + Task = "Configure 'First-Run Opt-In'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1208" ` + | Select-Object -ExpandProperty "1208" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.40" + Task = "Set 'Enable dragging of content from different domains across windows' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.41" + Task = "Set 'Launching applications and files in an IFRAME' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.3.42" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.4.3" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.1" + Task = "Set 'Java permissions' to 'Enabled:High safety'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.2" + Task = "Set 'Initialize and script ActiveX controls not marked as safe' to 'Enabled:Disable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.5.3" + Task = "Set 'Don't run antimalware programs against ActiveX controls' to 'Enabled:Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.6.1" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.6.2" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.7.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.7.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.2" + Task = "Set 'Only allow approved domains to use ActiveX controls without prompt' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.8.3" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.9.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.9.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.10.1" + Task = "Set 'Java permissions' to 'Enabled:Disable Java'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.10.2" + Task = "Set 'Use SmartScreen Filter' to 'Enabled:Enable'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.11" + Task = "Set 'Security Zones: Do not allow users to change policies' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.12" + Task = "Set 'Security Zones: Do not allow users to add/delete sites' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.13" + Task = "Set 'Security Zones: Use only machine settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1" + Task = "Set 'Disable the Security page' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "SecurityTab" ` + | Select-Object -ExpandProperty "SecurityTab" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2" + Task = "Set 'Disable the Advanced page' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "AdvancedTab" ` + | Select-Object -ExpandProperty "AdvancedTab" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.3" + Task = "Set 'Prevent downloading of enclosures' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.4" + Task = "Set 'Turn on Basic feed authentication over HTTP' to 'Not Configured'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.5" + Task = "Configure 'Make proxy settings per-machine (rather than per-user)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "ProxySettingsPerUser" ` + | Select-Object -ExpandProperty "ProxySettingsPerUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.6" + Task = "Configure 'Do not display the reveal password button'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.7" + Task = "Set 'Prevent changing proxy settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Proxy" ` + | Select-Object -ExpandProperty "Proxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.8" + Task = "Configure 'Disable changing Automatic Configuration settings'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Autoconfig" ` + | Select-Object -ExpandProperty "Autoconfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.9" + Task = "Set 'Prevent `"Fix settings`" functionality' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableFixSecuritySettings" ` + | Select-Object -ExpandProperty "DisableFixSecuritySettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.10" + Task = "Set 'Turn off the Security Settings Check feature' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.11_1" + Task = "Configure 'Disable changing connection settings'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "ProxySettingsPerUser" ` + | Select-Object -ExpandProperty "ProxySettingsPerUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.11_2" + Task = "Configure 'Disable changing connection settings'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "Proxy" ` + | Select-Object -ExpandProperty "Proxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.12" + Task = "Set 'Turn off Crash Detection' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.13" + Task = "Set 'Disable AutoComplete for forms' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest" ` + | Select-Object -ExpandProperty "FormSuggest" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.14" + Task = "Set 'Turn on the auto-complete feature for user names and passwords on forms' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.15" + Task = "Set 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings.ps1 new file mode 100644 index 0000000..0f15a10 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings.ps1 @@ -0,0 +1,4968 @@ +[AuditTest] @{ + Id = "DTBI014-IE11" + Task = "Turn off Encryption Support must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI015-IE11" + Task = "The Internet Explorer warning about certificate address mismatch must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI018-IE11" + Task = "Check for publishers certificate revocation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" ` + -Name "State" ` + | Select-Object -ExpandProperty "State" + + if ($regValue -ne 146432) { + return @{ + Message = "Registry value is '$regValue'. Expected: 146432" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI022-IE11" + Task = "The Download signed ActiveX controls property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI023-IE11" + Task = "The Download unsigned ActiveX controls property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI024-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI030-IE11" + Task = "Font downloads must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI031-IE11" + Task = "The Java permissions must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI032-IE11" + Task = "Accessing data sources across domains must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI036-IE11" + Task = "Functionality to drag and drop or copy and paste files must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI038-IE11" + Task = "Launching programs and files in IFRAME must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI039-IE11" + Task = "Navigating windows and frames across different domains must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI042-IE11" + Task = "Userdata persistence must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI044-IE11" + Task = "Clipboard operations via script must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI046-IE11" + Task = "Logon options must be configured to prompt (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI061-IE11" + Task = "Java permissions must be configured with High Safety (Intranet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI091-IE11" + Task = "Java permissions must be configured with High Safety (Trusted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1000-IE11" + Task = "Dragging of content from different domains within a window must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1005-IE11" + Task = "Dragging of content from different domains across windows must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1010-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1020-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1025-IE11" + Task = "Dragging of content from different domains within a window must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI112-IE11" + Task = "The Download signed ActiveX controls property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI113-IE11" + Task = "The Download unsigned ActiveX controls property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI114-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI115-IE11" + Task = "ActiveX controls and plug-ins must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI116-IE11" + Task = "ActiveX controls marked safe for scripting must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI119-IE11" + Task = "File downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI120-IE11" + Task = "Font downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1604" ` + | Select-Object -ExpandProperty "1604" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI121-IE11" + Task = "Java permissions must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI122-IE11" + Task = "Accessing data sources across domains must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI123-IE11" + Task = "The Allow META REFRESH property must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI126-IE11" + Task = "Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI128-IE11" + Task = "Launching programs and files in IFRAME must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI129-IE11" + Task = "Navigating windows and frames across different domains must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI132-IE11" + Task = "Userdata persistence must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI133-IE11" + Task = "Active scripting must be disallowed (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI134-IE11" + Task = "Clipboard operations via script must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI136-IE11" + Task = "Logon options must be configured and enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI300-IE11" + Task = "Configuring History setting must be set to 40 days." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History" ` + -Name "DaysToKeep" ` + | Select-Object -ExpandProperty "DaysToKeep" + + if ($regValue -ne 40) { + return @{ + Message = "Registry value is '$regValue'. Expected: 40" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI318-IE11" + Task = "Internet Explorer must be set to disallow users to add/delete sites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI319-IE11" + Task = "Internet Explorer must be configured to disallow users to change policies." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI320-IE11" + Task = "Internet Explorer must be configured to use machine settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI325-IE11" + Task = "Security checking features must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI350-IE11" + Task = "Software must be disallowed to run or install with invalid signatures." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI365-IE11" + Task = "Checking for server certificate revocation must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI370-IE11" + Task = "Checking for signatures on downloaded programs must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI375-IE11" + Task = "All network paths (UNCs) for Intranet sites must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI385-IE11" + Task = "Script-initiated windows without size or position constraints must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI390-IE11" + Task = "Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI395-IE11" + Task = "Scriptlets must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI415-IE11" + Task = "Automatic prompting for file downloads must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI425-IE11" + Task = "Java permissions must be disallowed (Local Machine zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI430-IE11" + Task = "Java permissions must be disallowed (Locked Down Local Machine zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI435-IE11" + Task = "Java permissions must be disallowed (Locked Down Intranet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI440-IE11" + Task = "Java permissions must be disallowed (Locked Down Trusted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI450-IE11" + Task = "Java permissions must be disallowed (Locked Down Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI455-IE11" + Task = "XAML files must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI460-IE11" + Task = "XAML files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI485-IE11" + Task = "Protected Mode must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI490-IE11" + Task = "Protected Mode must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI495-IE11" + Task = "Pop-up Blocker must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI500-IE11" + Task = "Pop-up Blocker must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI515-IE11" + Task = "Websites in less privileged web content zones must be prevented from navigating into the Internet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI520-IE11" + Task = "Websites in less privileged web content zones must be prevented from navigating into the Restricted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI575-IE11" + Task = "Allow binary and script behaviors must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI580-IE11" + Task = "Automatic prompting for file downloads must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI590-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced. (Reserved)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI592-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI594-IE11" + Task = "Internet Explorer Processes for MIME handling must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI595-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI596-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI597-IE11" + Task = "Internet Explorer Processes for MIME sniffing must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI599-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI600-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI605-IE11" + Task = "Internet Explorer Processes for MK protocol must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI610-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI612-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI614-IE11" + Task = "Internet Explorer Processes for Zone Elevation must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI630-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI635-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI640-IE11" + Task = "Internet Explorer Processes for Restrict File Download must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI645-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI647-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI649-IE11" + Task = "Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI650-IE11" + Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI655-IE11" + Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Restricted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI670-IE11" + Task = "Scripting of Java applets must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI690-IE11" + Task = "AutoComplete feature for forms must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Use FormSuggest" ` + | Select-Object -ExpandProperty "Use FormSuggest" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI715-IE11" + Task = "Crash Detection management must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI725-IE11" + Task = "Turn on the auto-complete feature for user names and passwords on forms must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI740-IE11" + Task = "Managing SmartScreen Filter use must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI760-IE11" + Task = "Browser must retain history on exit." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "ClearBrowsingHistoryOnExit" ` + | Select-Object -ExpandProperty "ClearBrowsingHistoryOnExit" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI770-IE11" + Task = "Deleting websites that the user has visited must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "CleanHistory" ` + | Select-Object -ExpandProperty "CleanHistory" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI780-IE11" + Task = "InPrivate Browsing must be disallowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Privacy" ` + -Name "EnableInPrivateBrowsing" ` + | Select-Object -ExpandProperty "EnableInPrivateBrowsing" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI800-IE11" + Task = "Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI810-IE11" + Task = "When uploading files to a server, the local directory path must be excluded (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI815-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI820-IE11" + Task = "Security Warning for unsafe files must be set to prompt (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI825-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (Explorer)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI830-IE11" + Task = "ActiveX controls without prompt property must be used in approved domains only (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI835-IE11" + Task = "Internet Explorer Processes for Notification Bars must be enforced (iexplore)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI840-IE11" + Task = "Cross-Site Scripting Filter must be enforced (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI850-IE11" + Task = "Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI860-IE11" + Task = "When uploading files to a server, the local directory path must be excluded (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI870-IE11" + Task = "Security Warning for unsafe files must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI880-IE11" + Task = "ActiveX controls without prompt property must be used in approved domains only (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI890-IE11" + Task = "Cross-Site Scripting Filter property must be enforced (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI900-IE11" + Task = "Internet Explorer Processes Restrict ActiveX Install must be enforced (Reserved)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI910-IE11" + Task = "Status bar updates via script must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI920-IE11" + Task = ".NET Framework-reliant components not signed with Authenticode must be disallowed to run (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI930-IE11" + Task = ".NET Framework-reliant components signed with Authenticode must be disallowed to run (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI940-IE11" + Task = "Scriptlets must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI950-IE11" + Task = "Status bar updates via script must be disallowed (Restricted Sites zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI985-IE11" + Task = "When Enhanced Protected Mode is enabled, ActiveX controls must be disallowed to run in Protected Mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI990-IE11" + Task = "Dragging of content from different domains across windows must be disallowed (Internet zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI995-IE11" + Task = "Enhanced Protected Mode functionality must be enforced." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI356-IE11" + Task = "The 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1046-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Internet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI062-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Intranet zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI426-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Local Machine zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1051-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Restricted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI092-IE11" + Task = "Anti-Malware programs against ActiveX controls must be run for the Trusted Sites zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1060-IE11" + Task = "Prevent bypassing SmartScreen Filter warnings must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1065-IE11" + Task = "Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the internet must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1070-IE11" + Task = "Prevent per-user installation of ActiveX controls must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1075-IE11" + Task = "Prevent ignoring certificate errors option must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1080-IE11" + Task = "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1085-IE11" + Task = "Turn on SmartScreen Filter scan option for the Restricted Sites Zone must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1090-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Intranet Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1095-IE11" + Task = "The Initialize and script ActiveX controls not marked as safe must be disallowed (Trusted Sites Zone)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1100-IE11" + Task = "Allow Fallback to SSL 3.0 (Internet Explorer) must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1105-IE11" + Task = "Run once selection for running outdated ActiveX controls must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1110-IE11" + Task = "Enabling outdated ActiveX controls for Internet Explorer must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1115-IE11" + Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1120-IE11" + Task = "Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1125-IE11" + Task = "VBScript must not be allowed to run in Internet Explorer (Internet zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "DTBI1130-IE11" + Task = "VBScript must not be allowed to run in Internet Explorer (Restricted Sites zone).(This policy setting will only exist on Windows 10 Redstone 2 or later)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-MS-2004#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-MS-2004#RegistrySettings.ps1 new file mode 100644 index 0000000..e25ac0f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Internet Explorer 11-MS-2004#RegistrySettings.ps1 @@ -0,0 +1,4860 @@ +[AuditTest] @{ + Id = "REG-001" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-002" + Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-003" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-001" + Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-002" + Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-003" + Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-004" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-005" + Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-006" + Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-007" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-008" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-009" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-010" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-011" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-012" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-013" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-014" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-015" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-016" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-017" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-018" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-019" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-020" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-021" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-022" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-023" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-024" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-025" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-026" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-027" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-028" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-029" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-030" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-031" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-032" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-033" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-034" + Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-035" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-036" + Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-037" + Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-038" + Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-039" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-040" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-041" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-042" + Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-043" + Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-044" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-045" + Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-046" + Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-047" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-048" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-049" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-050" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-051" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-052" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-053" + Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-054" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-055" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-056" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-057" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-058" + Task = "Ensure 'Java permissions' is set to 'High safety'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-059" + Task = "Ensure 'Java permissions' is set to 'High safety'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-060" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-061" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-062" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-063" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-064" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-065" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-066" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-067" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-068" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-069" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-070" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-071" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-072" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-073" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-074" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-075" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-076" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-077" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-078" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-079" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-080" + Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-081" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-082" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-083" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-084" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-085" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-086" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-087" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-088" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-089" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-090" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-091" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-092" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-093" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-094" + Task = "Ensure 'Allow META REFRESH' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-095" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-096" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-097" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-098" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-099" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-100" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-101" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-102" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-103" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-104" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-105" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-106" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-107" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-108" + Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-109" + Task = "Ensure 'Scripting of Java applets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-110" + Task = "Ensure 'Allow file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-111" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-112" + Task = "Ensure 'Allow active scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-113" + Task = "Ensure 'Logon options' is set to 'Anonymous logon'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-114" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-115" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-116" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-117" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-118" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-119" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-120" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-121" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-122" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-123" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-124" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-125" + Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-126" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-127" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-128" + Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-129" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-130" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-131" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "REG-132" + Task = "Task unavailable" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings.ps1 new file mode 100644 index 0000000..bf458e1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings.ps1 @@ -0,0 +1,11884 @@ +# Office root folder +$officePaths = @( + # Office 365 / 2019 / 2021 (the standard install paths) + "C:\Program Files\Microsoft Office\root\Office16", + "C:\Program Files (x86)\Microsoft Office\root\Office16" + + # Office 2016 (MSI) + "C:\Program Files\Microsoft Office\Office16", + "C:\Program Files (x86)\Microsoft Office\Office16", + + # Office 2016 (x32 MSI on x64 OS) + "C:\Program Files (x86)\Microsoft Office\root\Office16", + "C:\Program Files (x86)\Microsoft Office\Office16\", + + # Office 2016 (x64 MSI on x64 OS) + "C:\Program Files\Microsoft Office\Office16\" +) + +# Mapping of applications to exe names +$exeMap = @{ + "Groove" = "GROOVE.EXE" + "Excel" = "EXCEL.EXE" + "Publisher" = "MSPUB.EXE" + "PowerPoint" = "POWERPNT.EXE" + "PowerPoint Viewer" = "PPTVIEW.EXE" + "Project" = "WINPROJ.EXE" + "Word" = "WINWORD.EXE" + "Outlook" = "OUTLOOK.EXE" + "SharePoint Designer" = "SPDESIGN.EXE" + "Expression Web" = "EXPRWD.EXE" + "Access" = "MSACCESS.EXE" + "OneNote" = "ONENOTE.EXE" + "MS Script Editor" = "MSE7.EXE" + "Visio" = "VISIO.EXE" + +} + +# Check if any Office installation path exists -> if not existend, then Office is not installed +$OfficeInstalled = $false +foreach ($path in $officePaths) { + if (Test-Path $path) { + $OfficeInstalled = $true + break + } +} + +# Determine which Office apps are installed +$installedOfficeApps = @{} + +if ($OfficeInstalled) { + foreach ($app in $exeMap.Keys) { + foreach ($path in $officePaths) { + $exePath = Join-Path $path $exeMap[$app] + if (Test-Path $exePath) { + $installedOfficeApps[$app] = $true + break + } + } + if (-not $installedOfficeApps.ContainsKey($app)) { + $installedOfficeApps[$app] = $false + } + } +} +else { + Write-Warning "Office could not be found on this system." + Write-Warning "If Office is installed, please leave a comment in Issue-718 (https://github.com/fbprogmbh/Hardening-Audit-Tool-AuditTAP/issues/718) and provide requested information from 'What happened?' section." +} + +[AuditTest] @{ + Id = "1.1.4.1.1 A" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} + +[AuditTest] @{ + Id = "1.1.4.1.1 B" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 C" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 D" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 E" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 F" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 G" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 H" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 I" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 J" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 K" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 L" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 M" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.1 N" + Task = "(L1) Ensure 'Add-on Management' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 A" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 B" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 C" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 D" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 E" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 F" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 G" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 H" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 I" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 J" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 K" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 L" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 M" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.2 N" + Task = "(L1) Ensure 'Bind to object' is set to 'Enabled' (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 A" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled'" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 B" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 C" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 D" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 E" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 F" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 G" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 H" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 I" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 J" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 K" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 L" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 M" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.3 N" + Task = "(L1) Ensure 'Consistent Mime Handling' is set to 'Enabled' (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 A" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 B" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 C" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 D" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 E" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 F" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 G" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 H" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 I" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 J" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 K" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 L" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 M" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.4 N" + Task = "(L1) Ensure 'Disable user name and password' is set to 'Enabled' (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 A" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 B" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 C" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 D" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 E" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 F" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 G" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 H" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 I" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 J" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 K" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 L" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 M" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.5 N" + Task = "(L1) Ensure 'Information Bar' is set to 'Enabled' (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 A" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneDrive for Business"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 B" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 C" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 D" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 E" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 F" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 G" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 H" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 I" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 J" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} + +[AuditTest] @{ + Id = "1.1.4.1.6 K" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 L" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 M" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.6 N" + Task = "(L1) Ensure 'Local Machine Zone Lockdown Security' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 A" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 B" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 C" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 D" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 E" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 F" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 G" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 H" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 I" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 J" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 K" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 L" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 M" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.7 N" + Task = "(L1) Ensure 'Mime Sniffing Safety Feature' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 A" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 B" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 C" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 D" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 E" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 F" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 G" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 H" + Task = "(L1) Ensure 'Navigate URL' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_validate_navigate_url" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 I" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 J" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 K" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 L" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 M" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.8 N" + Task = "(L1) Ensure 'Navigate URL' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 A" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 B" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 C" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 D" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 E" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 F" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 G" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 H" + Task = "(L1) Ensure 'Object Caching Protection' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_object_caching" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 I" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 J" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 K" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 L" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 M" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.9 N" + Task = "(L1) Ensure 'Object Caching Protection' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 A" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 B" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 C" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 D" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 E" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 F" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 G" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 H" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 I" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 J" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 K" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 L" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 M" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.10 N" + Task = "(L1) Ensure 'Protection From Zone Elevation' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 A" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 B" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 C" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 D" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 E" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 F" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 G" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 H" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_activexinstall" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 I" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 J" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 K" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 L" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 M" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.11 N" + Task = "(L1) Ensure 'Restrict ActiveX Install' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 A" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 B" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 C" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 D" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 E" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 F" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 G" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 H" + Task = "(L1) Ensure 'Restrict File Download' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_restrict_filedownload" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 I" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 J" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 K" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 L" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 M" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.12 N" + Task = "(L1) Ensure 'Restrict File Download' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 A" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 B" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 C" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 D" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 E" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 F" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 G" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 H" + Task = "(L1) Ensure 'Saved from URL' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_unc_savedfilecheck" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 I" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 J" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 K" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 L" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 M" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.13 N" + Task = "(L1) Ensure 'Saved from URL' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 A" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (groove.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Groove"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "groove.exe" ` + | Select-Object -ExpandProperty "groove.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 B" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 C" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 D" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 E" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (pptview.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint Viewer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "pptview.exe" ` + | Select-Object -ExpandProperty "pptview.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 F" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 G" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 H" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 I" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 J" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (spDesign.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["SharePoint Designer"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "spDesign.exe" ` + | Select-Object -ExpandProperty "spDesign.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 K" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (exprwd.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Expression Web"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "exprwd.exe" ` + | Select-Object -ExpandProperty "exprwd.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 L" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 M" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (onent.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "onent.exe" ` + | Select-Object -ExpandProperty "onent.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.4.1.14 N" + Task = "(L1) Ensure 'Scripted Window Security Restrictions' is set to Enabled (mse7.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["MS Script Editor"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "mse7.exe" ` + | Select-Object -ExpandProperty "mse7.exe" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.5.1" + Task = "(L1) Ensure 'Enable Automatic Updates' is set to Enabled" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\office\16.0\common\officeupdate" ` + -Name "enableautomaticupdates" ` + | Select-Object -ExpandProperty "enableautomaticupdates" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.1.5.2" + Task = "(L1) Ensure 'Hide Option to Enable or Disable Updates' is set to Enabled" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\office\16.0\common\officeupdate" ` + -Name "hideenabledisableupdates" ` + | Select-Object -ExpandProperty "hideenabledisableupdates" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 A" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation'" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\Common\COM Compatibility" ` + -Name "Comment" ` + | Select-Object -ExpandProperty "Comment" + + if ($regValue -ne "Block all Flash activation") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block all Flash activation" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 B" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (ActivationFilterOverride)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}" ` + -Name "ActivationFilterOverride" ` + | Select-Object -ExpandProperty "ActivationFilterOverride" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 C" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (Compatibility Flags)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}" ` + -Name "Compatibility Flags" ` + | Select-Object -ExpandProperty "Compatibility Flags" + + if (($regValue -ne 1024)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1024" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 D" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (ActivationFilterOverride)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11CF-96B8-444553540000}" ` + -Name "ActivationFilterOverride" ` + | Select-Object -ExpandProperty "ActivationFilterOverride" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 E" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (Compatibility Flags)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11CF-96B8-444553540000}" ` + -Name "Compatibility Flags" ` + | Select-Object -ExpandProperty "Compatibility Flags" + + if (($regValue -ne 1024)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1024" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 F" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (ActivationFilterOverride, WOW6432)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}" ` + -Name "ActivationFilterOverride" ` + | Select-Object -ExpandProperty "ActivationFilterOverride" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 G" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (Compatibility Flags, WOW6432)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}" ` + -Name "Compatibility Flags" ` + | Select-Object -ExpandProperty "Compatibility Flags" + + if (($regValue -ne 1024)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1024" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 H" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (ActivationFilterOverride, WOW6432)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11CF-96B8-444553540000}" ` + -Name "ActivationFilterOverride" ` + | Select-Object -ExpandProperty "ActivationFilterOverride" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.1 I" + Task = "(L1) Ensure 'Block Flash activation in Office documents' is set to 'Enabled: Block all activation' (Compatibility Flags, WOW6432)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Common\COM Compatibility\{D27CDB70-AE6D-11CF-96B8-444553540000}" ` + -Name "Compatibility Flags" ` + | Select-Object -ExpandProperty "Compatibility Flags" + + if (($regValue -ne 1024)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1024" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 A" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (excel.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Excel"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "excel.exe" ` + | Select-Object -ExpandProperty "excel.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 B" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (msaccess.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Access"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "msaccess.exe" ` + | Select-Object -ExpandProperty "msaccess.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 C" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (mspub.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Publisher"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "mspub.exe" ` + | Select-Object -ExpandProperty "mspub.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 D" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (onenote.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["OneNote"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "onenote.exe" ` + | Select-Object -ExpandProperty "onenote.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 E" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (outlook.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Outlook"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "outlook.exe" ` + | Select-Object -ExpandProperty "outlook.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 F" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (powerpnt.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["PowerPoint"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "powerpnt.exe" ` + | Select-Object -ExpandProperty "powerpnt.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 G" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (visio.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Visio"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "visio.exe" ` + | Select-Object -ExpandProperty "visio.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 H" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (winproj.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Project"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "winproj.exe" ` + | Select-Object -ExpandProperty "winproj.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "1.3.2 I" + Task = "(L1) Ensure 'Restrict legacy JScript execution for Office' is set to 'Enabled' (winword.exe)" + Test = { + # new logic: + # - if no Office installed at all -> skip test + # - if Office installed but app not installed -> skip test + # - else run test as normal + + if (-not $OfficeInstalled) { + return @{ + Message = "No Office installation detected, skipping test." + Status = "None" + } + } + elseif (-not $installedOfficeApps["Word"]) { + return @{ + Message = "Application not installed, skipping test." + Status = "None" + } + } + else { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE" ` + -Name "winword.exe" ` + | Select-Object -ExpandProperty "winword.exe" + + if (($regValue -ne 69632)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 69632" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 new file mode 100644 index 0000000..606764a --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings.ps1 @@ -0,0 +1,4215 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +[AuditTest] @{ + Id = "1" + Task = "Turn off Automatic Root Certificates Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" ` + -Name "DisableRootAutoUpdate" ` + | Select-Object -ExpandProperty "DisableRootAutoUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.1" + Task = "Disable Allow Cortana" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.2" + Task = "Disable Allow search and Cortana to use location" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.3" + Task = "Do not allow web search" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "DisableWebSearch" ` + | Select-Object -ExpandProperty "DisableWebSearch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.4" + Task = "Don't search the web or display web results in Search" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchUseWeb" ` + | Select-Object -ExpandProperty "ConnectedSearchUseWeb" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1.5" + Task = "Set Set what information is shared in Search to Anonymous info" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchPrivacy" ` + | Select-Object -ExpandProperty "ConnectedSearchPrivacy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "Prevent Windows from setting the time automatically" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" ` + -Name "Type" ` + | Select-Object -ExpandProperty "Type" + + if ($regValue -ne "NoSync") { + return @{ + Message = "Registry value is '$regValue'. Expected: NoSync" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "Disable Windows NTP Client" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4" + Task = "Prevent Windows from retrieving device metadata from the Internet" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5" + Task = "Turn off Find My Device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice" ` + -Name "AllowFindMyDevice" ` + | Select-Object -ExpandProperty "AllowFindMyDevice" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6" + Task = "Disable Font Providers" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7" + Task = "Turn off Insider Preview builds for Windows 10" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.1" + Task = "Disable Suggested Sites" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.2" + Task = "Disable Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer" ` + -Name "AllowServicePoweredQSA" ` + | Select-Object -ExpandProperty "AllowServicePoweredQSA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.3" + Task = "Turn off the auto-complete feature for web addresses" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" ` + -Name "AutoSuggest" ` + | Select-Object -ExpandProperty "AutoSuggest" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.4" + Task = "Turn off browser geolocation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation" ` + -Name "PolicyDisableGeolocation" ` + | Select-Object -ExpandProperty "PolicyDisableGeolocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.5" + Task = "Prevent managing SmartScreen filter" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.6" + Task = "Turn off Compatibility View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation" ` + -Name "DisableSiteListEditing" ` + | Select-Object -ExpandProperty "DisableSiteListEditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.7" + Task = "Turn off the flip ahead with page prediction feature" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.8" + Task = "Turn off background synchronization for feeds and Web Slices" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "BackgroundSyncStatus" ` + | Select-Object -ExpandProperty "BackgroundSyncStatus" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.9" + Task = "Disable Allow Online Tips" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.10" + Task = "Set home page blank" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Start Page" ` + | Select-Object -ExpandProperty "Start Page" + + if ($regValue -ne "about:blank") { + return @{ + Message = "Registry value is '$regValue'. Expected: about:blank" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.11" + Task = "Disable changing home page settings" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "HomePage" ` + | Select-Object -ExpandProperty "HomePage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.12" + Task = "Prevent running First Run wizard" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableFirstRunCustomize and set it to Go directly to home page" ` + | Select-Object -ExpandProperty "DisableFirstRunCustomize and set it to Go directly to home page" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.0.13" + Task = "Specify default behavior for a new tab" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing" ` + -Name "NewTabPageShow" ` + | Select-Object -ExpandProperty "NewTabPageShow" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8.1" + Task = "Turn off Automatic download of the ActiveX VersionList" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager" ` + -Name "DownloadVersionList" ` + | Select-Object -ExpandProperty "DownloadVersionList" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9" + Task = "Turn off License Manager related traffic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LicenseManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "10" + Task = "Turn Off notifications network usage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "11" + Task = "Turn off mail synchronization for Microsoft Accounts that are configured on the device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail" ` + -Name "ManualLaunchAllowed" ` + | Select-Object -ExpandProperty "ManualLaunchAllowed" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "12" + Task = "Disable the Microsoft Account Sign-In Assistant" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wlidsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.1" + Task = "Disable Allow Address Bar drop-down list suggestions" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" ` + -Name "ShowOneBox" ` + | Select-Object -ExpandProperty "ShowOneBox" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.2" + Task = "Disable Allow configuration updates for the Books Library" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BooksLibrary" ` + -Name "AllowConfigurationUpdateForBooksLibrary" ` + | Select-Object -ExpandProperty "AllowConfigurationUpdateForBooksLibrary" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.3" + Task = "Disable Configure Autofill" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "Use FormSuggest" ` + | Select-Object -ExpandProperty "Use FormSuggest" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.4" + Task = "Configure Do Not Track" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "DoNotTrack" ` + | Select-Object -ExpandProperty "DoNotTrack" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.5" + Task = "Disable Configure Password Manager" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "No") { + return @{ + Message = "Registry value is '$regValue'. Expected: No" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.6" + Task = "Disable Configure search suggestions in Address Bar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" ` + -Name "ShowSearchSuggestionsGlobal" ` + | Select-Object -ExpandProperty "ShowSearchSuggestionsGlobal" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.7" + Task = "Disable Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.8" + Task = "Disable Allow web content on New Tab page" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI" ` + -Name "AllowWebContentOnNewTabPage" ` + | Select-Object -ExpandProperty "AllowWebContentOnNewTabPage" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.9" + Task = "Configure corporate Home pages" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings" ` + -Name "ProvisionedHomePages" ` + | Select-Object -ExpandProperty "ProvisionedHomePages" + + if ($regValue -ne "about:blank") { + return @{ + Message = "Registry value is '$regValue'. Expected: about:blank" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.10" + Task = "Prevent the First Run webpage from opening on Microsoft Edge" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "PreventFirstRunPage" ` + | Select-Object -ExpandProperty "PreventFirstRunPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13.11" + Task = "Disable Compatibility View." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BrowserEmulation" ` + -Name "MSCompatibilityMode" ` + | Select-Object -ExpandProperty "MSCompatibilityMode" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "14" + Task = "Turn off Windows Network Connectivity Status Indicator active tests" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" ` + -Name "NoActiveProbe" ` + | Select-Object -ExpandProperty "NoActiveProbe" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "15.1" + Task = "Turn off Automatic Download and Update of Map Data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" ` + -Name "AutoDownloadAndUpdateMapData" ` + | Select-Object -ExpandProperty "AutoDownloadAndUpdateMapData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "15.2" + Task = "Turn off unsolicited network traffic on the Offline Maps settings page" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps" ` + -Name "AllowUntriggeredNetworkTrafficOnSettingsPage" ` + | Select-Object -ExpandProperty "AllowUntriggeredNetworkTrafficOnSettingsPage" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16.1" + Task = "Prevent the usage of OneDrive for file storage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16.2" + Task = "Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive" ` + -Name "PreventNetworkTrafficPreUserSignIn" ` + | Select-Object -ExpandProperty "PreventNetworkTrafficPreUserSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1" + Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2" + Task = "Turn off Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "Turn off Let websites provide locally relevant content by accessing my language list" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Control Panel\International\User Profile" ` + -Name "HttpAcceptLanguageOptOut" ` + | Select-Object -ExpandProperty "HttpAcceptLanguageOptOut" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.4" + Task = "Turn off Let Windows track app launches to improve Start and search results" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" ` + -Name "Start_TrackProgs" ` + | Select-Object -ExpandProperty "Start_TrackProgs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.1" + Task = "Turn off Location for this device" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessLocation" ` + | Select-Object -ExpandProperty "LetAppsAccessLocation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.2" + Task = "Turn off Location" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.1" + Task = "Turn off Let apps use my camera" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCamera" ` + | Select-Object -ExpandProperty "LetAppsAccessCamera" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "Turn off Let apps use my microphone" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMicrophone" ` + | Select-Object -ExpandProperty "LetAppsAccessMicrophone" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "Turn off notifications network usage" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "Turn off Let apps access my notifications" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessNotifications" ` + | Select-Object -ExpandProperty "LetAppsAccessNotifications" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.1" + Task = "Turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" ` + -Name "HasAccepted" ` + | Select-Object -ExpandProperty "HasAccepted" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.2" + Task = "Turn off updates to the speech recognition and speech synthesis models" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Speech" ` + -Name "AllowSpeechModelUpdate" ` + | Select-Object -ExpandProperty "AllowSpeechModelUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "Turn off Let apps access my name, picture, and other account info" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessAccountInfo" ` + | Select-Object -ExpandProperty "LetAppsAccessAccountInfo" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8" + Task = "Turn off Choose apps that can access contacts" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessContacts" ` + | Select-Object -ExpandProperty "LetAppsAccessContacts" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.1" + Task = "Turn off Let apps access my calendar" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCalendar" ` + | Select-Object -ExpandProperty "LetAppsAccessCalendar" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10" + Task = "Turn off Let apps access my call history" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessCallHistory" ` + | Select-Object -ExpandProperty "LetAppsAccessCallHistory" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.11" + Task = "Turn off Let apps access and send email" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessEmail" ` + | Select-Object -ExpandProperty "LetAppsAccessEmail" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.12.1" + Task = "Turn off Let apps read or send messages (text or MMS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMessaging" ` + | Select-Object -ExpandProperty "LetAppsAccessMessaging" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.12.3" + Task = "Turn off Message Sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.13.1" + Task = "Turn off Let apps make phone calls" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessPhone" ` + | Select-Object -ExpandProperty "LetAppsAccessPhone" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.14.1" + Task = "Turn off Let apps control radios" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessRadios" ` + | Select-Object -ExpandProperty "LetAppsAccessRadios" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.15.1" + Task = "Turn off Let apps automatically share and sync info with wireless devices that do not explicitly pair with your PC, tablet, or phone" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsSyncWithDevices" ` + | Select-Object -ExpandProperty "LetAppsSyncWithDevices" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.15.2" + Task = "Turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessTrustedDevices" ` + | Select-Object -ExpandProperty "LetAppsAccessTrustedDevices" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.1" + Task = "Do not show feedback notificationsk" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.2" + Task = "Set Send your device data to Microsoft to Basic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + $allowedNames = @("Windows 10 Home", "Windows 11 Home", "Windows 10 Pro", "Windows 11 Pro") + $productname = Get-ComputerInfo | select -ExpandProperty OsName + if (($allowedNames -contains $productname) -and ($regValue -eq 1)){ + return @{ + Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'." + Status = "Warning" + } + } + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.3" + Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.16.4" + Task = "Turn off tailored experiences with relevant tips and recommendations by using your diagnostics data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.17" + Task = "Turn off Let apps run in the background" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsRunInBackground" ` + | Select-Object -ExpandProperty "LetAppsRunInBackground" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.18" + Task = "Turn off Let Windows and your apps use your motion data and collect motion history" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessMotion" ` + | Select-Object -ExpandProperty "LetAppsAccessMotion" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.19" + Task = "Set Let Windows apps access Tasks to Force Deny" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsAccessTasks" ` + | Select-Object -ExpandProperty "LetAppsAccessTasks" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.20" + Task = "Let Windows apps access diagnostic information about other apps" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsGetDiagnosticInfo" ` + | Select-Object -ExpandProperty "LetAppsGetDiagnosticInfo" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.21" + Task = "Turn off Inking & Typing data collection" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitTextCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitTextCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.1" + Task = "Disable Activity Feed" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableActivityFeed" ` + | Select-Object -ExpandProperty "EnableActivityFeed" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.2" + Task = "Disable Allow publishing of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "PublishUserActivities" ` + | Select-Object -ExpandProperty "PublishUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.22.3" + Task = "Disable Allow upload of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.23.1" + Task = "Disable Let Windows apps activate with voice" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoice" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoice" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.23.2" + Task = "Disable Allow publishing of User Activities" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "PublishUserActivities" ` + | Select-Object -ExpandProperty "PublishUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19" + Task = "Turn off KMS Client Online AVS Validation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "20" + Task = "Disable Allow downloading updates to the Disk Failure Prediction Model" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\StorageHealth" ` + -Name "AllowDiskHealthModelUpdates" ` + | Select-Object -ExpandProperty "AllowDiskHealthModelUpdates" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.1" + Task = "Enable Do not sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync" ` + -Name "DisableSettingSync" ` + | Select-Object -ExpandProperty "DisableSettingSync" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.2" + Task = "Disable Allow users to turn syncing on" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync" ` + -Name "DisableSettingSyncUserOverride" ` + | Select-Object -ExpandProperty "DisableSettingSyncUserOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21.3" + Task = "Turn off Messaging cloud sync" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging" ` + -Name "CloudServiceSyncEnabled" ` + | Select-Object -ExpandProperty "CloudServiceSyncEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "22" + Task = "Set Teredo State to disabled state" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "Teredo_State" ` + | Select-Object -ExpandProperty "Teredo_State" + + if ($regValue -ne "Disabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Disabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "23" + Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.1" + Task = "Disable Join Microsoft MAPS" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpyNetReporting" ` + | Select-Object -ExpandProperty "SpyNetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.3" + Task = "Set Send file samples when further analysis is required to Never Send" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.4" + Task = "Set Define the order of sources for downloading definition updates to FileShares" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates" ` + -Name "FallbackOrder" ` + | Select-Object -ExpandProperty "FallbackOrder" + + if ($regValue -ne "FileShares") { + return @{ + Message = "Registry value is '$regValue'. Expected: FileShares" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.5" + Task = "Define Define file shares for downloading definition updates to Nothing" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Signature Updates" ` + -Name "DefinitionUpdateFileSharesSources" ` + | Select-Object -ExpandProperty "DefinitionUpdateFileSharesSources" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.6" + Task = "Turn off Malicious Software Reporting Tool diagnostic data" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" ` + -Name "DontReportInfectionInformation" ` + | Select-Object -ExpandProperty "DontReportInfectionInformation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.0.7" + Task = "Turn off Enhanced Notifications as follows" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableEnhancedNotifications" ` + | Select-Object -ExpandProperty "DisableEnhancedNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.1" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.2" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SmartScreen" ` + -Name "ConfigureAppInstallControlEnabled" ` + | Select-Object -ExpandProperty "ConfigureAppInstallControlEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24.1.3" + Task = "Disable Windows Defender Smartscreen" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SmartScreen" ` + -Name "ConfigureAppInstallControl" ` + | Select-Object -ExpandProperty "ConfigureAppInstallControl" + + if ($regValue -ne "Anywhere") { + return @{ + Message = "Registry value is '$regValue'. Expected: Anywhere" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.1" + Task = "Turn off all Windows spotlight features" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.2" + Task = "Do not display the Lock Screen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreen" ` + | Select-Object -ExpandProperty "NoLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.3" + Task = "Force a specific default lock screen image and logon image" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "LockScreenImage" ` + | Select-Object -ExpandProperty "LockScreenImage" + + if ($regValue -ne "C:\windows\web\screen\lockscreen.jpg") { + return @{ + Message = "Registry value is '$regValue'. Expected: C:\windows\web\screen\lockscreen.jpg" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.4" + Task = "Turn off fun facts, tips, tricks, and more on lock screen" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "LockScreenOverlaysDisabled" ` + | Select-Object -ExpandProperty "LockScreenOverlaysDisabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.5" + Task = "Do not show Windows tips" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSoftLanding" ` + | Select-Object -ExpandProperty "DisableSoftLanding" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25.6" + Task = "Turn off Microsoft consumer experiences" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "26.1" + Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "26.2" + Task = "Turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "27" + Task = "Turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableAppUriHandlers" ` + | Select-Object -ExpandProperty "EnableAppUriHandlers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "28.3" + Task = "Enable the Download Mode and set the Download Mode to `"Bypass`" to prevent traffic" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -ne 100) { + return @{ + Message = "Registry value is '$regValue'. Expected: 100" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.1" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DoNotConnectToWindowsUpdateInternetLocations" ` + | Select-Object -ExpandProperty "DoNotConnectToWindowsUpdateInternetLocations" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.2" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DisableWindowsUpdateAccess" ` + | Select-Object -ExpandProperty "DisableWindowsUpdateAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.3" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "WUServer" ` + | Select-Object -ExpandProperty "WUServer" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.4" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "WUStatusServer" ` + | Select-Object -ExpandProperty "WUStatusServer" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.5" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "UpdateServiceUrlAlternate" ` + | Select-Object -ExpandProperty "UpdateServiceUrlAlternate" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29.6" + Task = "Turn off Windows Update" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "UseWUServer" ` + | Select-Object -ExpandProperty "UseWUServer" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies.ps1 new file mode 100644 index 0000000..ee46aa7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies.ps1 @@ -0,0 +1,255 @@ +[AuditTest] @{ + Id = "200" + Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "201" + Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "202" + Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "203" + Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "204" + Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "205" + Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "206" + Task = "(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "207" + Task = "(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "208" + Task = "(ND) Ensure 'Reset account lockout counter after' is set to '15 or`nmore minute(s)'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AuditPolicies.ps1 new file mode 100644 index 0000000..346e5c7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AuditPolicies.ps1 @@ -0,0 +1,77 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings.ps1 new file mode 100644 index 0000000..dc5400c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings.ps1 @@ -0,0 +1,12419 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1" + Task = "(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2" + Task = "(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3" + Task = "(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4" + Task = "(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5" + Task = "(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7" + Task = "(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableDeadGWDetect" ` + | Select-Object -ExpandProperty "EnableDeadGWDetect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8" + Task = "(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9" + Task = "(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "10" + Task = "(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "11" + Task = "(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "12" + Task = "(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "13" + Task = "(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "14" + Task = "(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "15" + Task = "(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16" + Task = "(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "17" + Task = "(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18" + Task = "(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19" + Task = "(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "20" + Task = "(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21" + Task = "(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "22" + Task = "(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "23" + Task = "(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24 A" + Task = "(ND, NE) Ensure 'Hardened UNC Paths' is set to `"Require Mutual Authentication=1, `"Require Integrity=1`" for the value names `"\\*\NETLOGON`" und `"\\*\SYSVOL`". [\\*\NETLOGON]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24 B" + Task = "(ND, NE) Ensure 'Hardened UNC Paths' is set to `"Require Mutual Authentication=1, `"Require Integrity=1`" for the value names `"\\*\NETLOGON`" und `"\\*\SYSVOL`". [\\*\SYSVOL]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "25" + Task = "(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "26" + Task = "(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "27" + Task = "(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "28" + Task = "(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "29" + Task = "(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "30" + Task = "(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "31" + Task = "(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "32" + Task = "(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "33" + Task = "(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($null -eq $regValue -or 0 -eq $regValue) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "34" + Task = "(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "35" + Task = "(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "36" + Task = "(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "37" + Task = "(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "38" + Task = "(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "39" + Task = "(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "40" + Task = "(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "41" + Task = "(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "42" + Task = "(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "43" + Task = "(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "44" + Task = "(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "45" + Task = "(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "46" + Task = "(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "47" + Task = "(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "48" + Task = "(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "49" + Task = "(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "50" + Task = "(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "51" + Task = "(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "52" + Task = "(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "53" + Task = "(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "54" + Task = "(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "55" + Task = "(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "56" + Task = "(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "57" + Task = "(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "58" + Task = "(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "59 A" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "59 B" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. (PCI\CC_0C0A)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" + + $expectedValue = "PCI\CC_0C0A" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "59 C" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. (DenyDeviceIDsRetroactive)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "60 A" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "60 B" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{d48179be-ec20-11d1-b6b8-00c04fa372a7}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 C" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Devices That Support the 61883 Protocol)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 D" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Devices That Support the AVC Protocol)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{c06ff265-ae09-48f0-812c-16753d7cba83}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 E" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Host Bus Controller)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{6bdd1fc1-810f-11d0-bec7-08002be2092f}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 F" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (DenyDeviceClassesRetroactive)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "61" + Task = "(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "62" + Task = "(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "63" + Task = "(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "64" + Task = "(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "65" + Task = "(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "66" + Task = "(HD) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "67" + Task = "(HD) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "68" + Task = "(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "69" + Task = "(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "70" + Task = "(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "71" + Task = "(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "72" + Task = "(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "73" + Task = "(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "74" + Task = "(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "75" + Task = "(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "76" + Task = "(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "77" + Task = "(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "78" + Task = "(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "79" + Task = "(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "80" + Task = "(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "81" + Task = "(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "82" + Task = "(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "83" + Task = "(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "84" + Task = "(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "85" + Task = "(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "86" + Task = "(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "87" + Task = "(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "88" + Task = "(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM\BlockedCommands" ` + -Name "IgnoreDefaultList" ` + | Select-Object -ExpandProperty "IgnoreDefaultList" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "89" + Task = "(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm" ` + -Name "StandardUserAuthorizationFailureDuration" ` + | Select-Object -ExpandProperty "StandardUserAuthorizationFailureDuration" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "90" + Task = "(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm" ` + -Name "StandardUserAuthorizationFailureIndividualThreshold" ` + | Select-Object -ExpandProperty "StandardUserAuthorizationFailureIndividualThreshold" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "91" + Task = "(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "92" + Task = "(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "93" + Task = "(HD) Ensure 'Allow Online Tips' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "94" + Task = "(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "95" + Task = "(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "96" + Task = "(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "SCRNSAVE.EXE" ` + | Select-Object -ExpandProperty "SCRNSAVE.EXE" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "97" + Task = "(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "98" + Task = "(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "99" + Task = "(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveTimeOut" ` + | Select-Object -ExpandProperty "ScreenSaveTimeOut" + + if (($regValue -gt 900 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "100 A" + Task = "(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitTextCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitTextCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "100 B" + Task = "(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitInkCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitInkCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "101" + Task = "(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "102" + Task = "(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "103" + Task = "(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "104" + Task = "(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "105" + Task = "(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "106" + Task = "(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "107" + Task = "(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "108" + Task = "(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "109" + Task = "(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "110" + Task = "(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "111" + Task = "(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "112" + Task = "(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "113" + Task = "(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "114" + Task = "(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "115" + Task = "(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "116" + Task = "(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "117" + Task = "(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "118" + Task = "(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "119" + Task = "(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "120" + Task = "(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + $saferClients = @("*Server*", "*Education*", "*Enterprise*") + $productname = Get-ComputerInfo | select -ExpandProperty OsName + if (($productname -notcontains $saferClients) -and ($regValue -eq 1)) { + return @{ + Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'." + Status = "Warning" + } + } + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "121" + Task = "(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowDeviceNameInTelemetry" ` + | Select-Object -ExpandProperty "AllowDeviceNameInTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "122" + Task = "(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "123" + Task = "(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "124" + Task = "(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "125" + Task = "(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "126" + Task = "(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "127" + Task = "(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "128" + Task = "(HD) Ensure 'Turn off location' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "129" + Task = "(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "130" + Task = "(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "131" + Task = "(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "132" + Task = "(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "133" + Task = "(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "134" + Task = "(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "135" + Task = "(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "136" + Task = "(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "137" + Task = "(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "138" + Task = "(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "139" + Task = "(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fResetBroken" ` + | Select-Object -ExpandProperty "fResetBroken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "140" + Task = "(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "141" + Task = "(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "142" + Task = "(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "143" + Task = "(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "144" + Task = "(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "145" + Task = "(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "146" + Task = "(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "147" + Task = "(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "148" + Task = "(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "149" + Task = "(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "150" + Task = "(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "151" + Task = "(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "152" + Task = "(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "153" + Task = "(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "154" + Task = "(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RequirePrivateStoreOnly" ` + | Select-Object -ExpandProperty "RequirePrivateStoreOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "155" + Task = "(HD) Ensure 'Turn off the Store application' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "156" + Task = "(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "157" + Task = "(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "158" + Task = "(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "159" + Task = "(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput" ` + -Name "AllowLinguisticDataCollection" ` + | Select-Object -ExpandProperty "AllowLinguisticDataCollection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "160" + Task = "(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -ne 99) { + return @{ + Message = "Registry value is '$regValue'. Expected: 99" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "161" + Task = "(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "162" + Task = "(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "163" + Task = "(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "164" + Task = "(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "165" + Task = "(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "166" + Task = "(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "167" + Task = "(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "168" + Task = "(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "169" + Task = "(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "170" + Task = "(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "171" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 A" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 B" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 C" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 D" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 E" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 F" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 G" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 H" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 I" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 J" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 K" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "173" + Task = "(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "174" + Task = "(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "175" + Task = "(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "176" + Task = "(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "177" + Task = "(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "178" + Task = "(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "179" + Task = "(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "180" + Task = "(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "181" + Task = "(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "182" + Task = "(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "184" + Task = "(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell" ` + -Name "ExecutionPolicy" ` + | Select-Object -ExpandProperty "ExecutionPolicy" + + if ($regValue -ne "AllSigned") { + return @{ + Message = "Registry value is '$regValue'. Expected: AllSigned" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "185" + Task = "(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "186" + Task = "(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "187" + Task = "(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "188" + Task = "(ND, NE) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "189" + Task = "(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "190" + Task = "(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "191" + Task = "(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "192" + Task = "(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "193" + Task = "(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "194" + Task = "(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "195" + Task = "(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "196" + Task = "(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "197" + Task = "(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "198" + Task = "(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "199" + Task = "(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "209" + Task = "(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "210" + Task = "(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "211" + Task = "(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "212" + Task = "(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "213" + Task = "(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "214" + Task = "(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "215" + Task = "(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "216" + Task = "(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "217" + Task = "(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "218" + Task = "(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "219" + Task = "(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "220" + Task = "(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "221" + Task = "(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "222" + Task = "(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "223" + Task = "(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "224" + Task = "(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "225" + Task = "(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "226" + Task = "(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "2") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "227" + Task = "(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "228" + Task = "(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "229" + Task = " Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "230" + Task = "(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "231" + Task = "(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "232" + Task = "(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "233" + Task = "(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "234" + Task = "(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "239" + Task = "(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "240" + Task = "(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "241" + Task = "(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "242" + Task = "(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "243" + Task = "(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "244" + Task = "(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "245" + Task = "(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "246" + Task = "(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. " + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "247" + Task = "(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "248" + Task = "(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "250" + Task = "(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "251" + Task = "(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "252" + Task = "(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "253" + Task = "(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "254" + Task = "(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "255" + Task = "(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "256" + Task = "(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "257" + Task = "(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "258" + Task = "(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "259" + Task = "(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "260" + Task = "(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "261" + Task = "(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "262" + Task = "(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "264" + Task = "(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "265" + Task = "(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "266" + Task = "(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "267" + Task = "(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "268" + Task = "(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "269" + Task = "(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "270" + Task = "(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "271" + Task = "(ND, NE) Configure 'Network access: Remotely accessible registry paths'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "272" + Task = "(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "273" + Task = "(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems" ` + -Name "Optional" ` + | Select-Object -ExpandProperty "Optional" + + if ($regValue -ne $null) { + return @{ + Message = "Registry value is '$regValue'. Expected: (Blank)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "274" + Task = "(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "275" + Task = "(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "276" + Task = "(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "316" + Task = "(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "317" + Task = "(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'." + Test = { + try { + $status = Get-Service DiagTrack -ErrorAction Stop | select -property starttype + if ($status.StartType -ne "Disabled") { + return @{ + Message = "Service not compliant. Currently: $($status)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException] { + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "318" + Task = "(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "319" + Task = "(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "320" + Task = "(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "321" + Task = "(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "322" + Task = "(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "323" + Task = "(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "324" + Task = "(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "325" + Task = "(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "326" + Task = "(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'." + Test = { + $result = Get-WindowsOptionalFeature -online -FeatureName Microsoft-Windows-Subsystem-Linux + $state = $result.State + if ($state -eq "Disabled" -or $state -eq "Not Installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "Registry value is '$state'. Expected: 'Disabled' or 'Not Installed'" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "327" + Task = "(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "328" + Task = "(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "329" + Task = "(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "330" + Task = "(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "331" + Task = "(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "332" + Task = "(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "333" + Task = "(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "334" + Task = "(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "335" + Task = "(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "336" + Task = "(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "337" + Task = "(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "338" + Task = "(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "339" + Task = "(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "340" + Task = "(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "341" + Task = "(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "342" + Task = "(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "343" + Task = "(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "344" + Task = "(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "345" + Task = "(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "346" + Task = "(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "347" + Task = "(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "348" + Task = "(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "349" + Task = "(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "350" + Task = "(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "351" + Task = "(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "352" + Task = "(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "353" + Task = "(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "354" + Task = "(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "355" + Task = "(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "356" + Task = "(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "357" + Task = "(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "358" + Task = "(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "359" + Task = "(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "360" + Task = "(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "361" + Task = "(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "362" + Task = "(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "363" + Task = "(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "364" + Task = "(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "365" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' ." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "366" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "367" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "368" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "369" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "370" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "371" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "372" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "373" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "374" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions.ps1 new file mode 100644 index 0000000..571931b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions.ps1 @@ -0,0 +1,156 @@ +[AuditTest] @{ + Id = "235" + Task = "(ND, NE) Configure 'Accounts: Rename administrator account'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "236" + Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableAdminAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "237" + Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. " + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "238" + Task = "(ND, NE) Configure 'Accounts: Rename guest account'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "249" + Task = "(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "263" + Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights.ps1 new file mode 100644 index 0000000..2ffd579 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights.ps1 @@ -0,0 +1,1479 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "277" + Task = "(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "278" + Task = "(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "279" + Task = "(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.`n`n" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "280" + Task = "(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "281" + Task = "(HD) Configure 'Log on as a service'. [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "281" + Task = "(HD) Configure 'Log on as a service'. [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "282" + Task = "(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "283" + Task = "(HD) Ensure 'Log on as a batch job' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "284" + Task = "(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $missingUsers = @() + + #save all sids + foreach($sid in $currentUserRights.sid){ + $currentUserSIDs += $sid + } + #only these sids have to be in userRight + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + "S-1-2-0" + ) + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "285" + Task = "(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "286" + Task = "(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "287" + Task = "(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.`n`n" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "288" + Task = "(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "289" + Task = "(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "290" + Task = "(ND, NE) Ensure 'Debug programs' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "291" + Task = "(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "292" + Task = "(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "293" + Task = "(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "294" + Task = "(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "295" + Task = "(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "296" + Task = "(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "297" + Task = "(ND, NE) Ensure 'Profile single process' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "298" + Task = "(ND, NE) Ensure 'Create a token object' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "299" + Task = "(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "300" + Task = "(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "301" + Task = "(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "302" + Task = "(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "303" + Task = "(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "304" + Task = "(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "305" + Task = "(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "306" + Task = "(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.`n" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "307" + Task = "(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "308" + Task = "(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "309" + Task = "(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "310" + Task = "(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' ." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "311" + Task = "(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "312" + Task = "(ND, NE) Ensure 'Modify an object label' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "313" + Task = "(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "314" + Task = "(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "315" + Task = "(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. `n`n" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies.ps1 new file mode 100644 index 0000000..b9e59ec --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies.ps1 @@ -0,0 +1,1502 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "5.1.1.1" + Task = "Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.2" + Task = "Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.3" + Task = "Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.4" + Task = "Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.5" + Task = "Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.6" + Task = "Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.7" + Task = "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.1.1.8" + Task = "Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.1" + Task = "Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.2" + Task = "Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.3" + Task = "Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.4" + Task = "Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.5" + Task = "Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.6" + Task = "Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.7" + Task = "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.8" + Task = "Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.2.1.9" + Task = "Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.1" + Task = "Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.2" + Task = "Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.3" + Task = "Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.4" + Task = "Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.5" + Task = "Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.3.1.6" + Task = "Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.5.1.1" + Task = "Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "5.5.1.2" + Task = "Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings.ps1 new file mode 100644 index 0000000..797ad37 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings.ps1 @@ -0,0 +1,711 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "4.1.1" + Task = "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.2" + Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1" + Task = "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.1.2" + Task = "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.1.3" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.1.4" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.2.1" + Task = "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.2.2" + Task = "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.2.3" + Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.2.4" + Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.3.1" + Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.3.2" + Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.3.3" + Task = "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.2.3.4" + Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "4.3.1.1" + Task = "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.1.1" + Task = "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.1.2" + Task = "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.2.1" + Task = "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.2.2" + Task = "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.3.1" + Task = "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.3.2" + Task = "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.4.1" + Task = "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.2.4.2" + Task = "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.3.1" + Task = "Ensure 'Include command line in process creation events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.4.2" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.3.4.3" + Task = "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1 new file mode 100644 index 0000000..b170726 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies.ps1 @@ -0,0 +1,171 @@ +[AuditTest] @{ + Id = "200" + Task = "(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "201" + Task = "(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "202" + Task = "(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "203" + Task = "(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "204" + Task = "(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "205" + Task = "(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' ." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AuditPolicies.ps1 new file mode 100644 index 0000000..346e5c7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AuditPolicies.ps1 @@ -0,0 +1,77 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings.ps1 new file mode 100644 index 0000000..e1bbaea --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings.ps1 @@ -0,0 +1,8320 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1" + Task = "(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2" + Task = "(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3" + Task = "(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4" + Task = "(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5" + Task = "(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "6" + Task = "(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "7" + Task = "(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableDeadGWDetect" ` + | Select-Object -ExpandProperty "EnableDeadGWDetect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "8" + Task = "(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9" + Task = "(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "10" + Task = "(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "12" + Task = "(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "14" + Task = "(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "16" + Task = "(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "17" + Task = "(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "20" + Task = "(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "21" + Task = "(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "22" + Task = "(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24 A" + Task = "(ND, NE) Ensure 'Hardened UNC Paths' is set to `"Require Mutual Authentication=1, `"Require Integrity=1`" for the value names `"\\*\NETLOGON`" und `"\\*\SYSVOL`". [\\*\NETLOGON]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "24 B" + Task = "(ND, NE) Ensure 'Hardened UNC Paths' is set to `"Require Mutual Authentication=1, `"Require Integrity=1`" for the value names `"\\*\NETLOGON`" und `"\\*\SYSVOL`". [\\*\SYSVOL]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "33" + Task = "(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($null -eq $regValue -or 0 -eq $regValue) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "34" + Task = "(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "35" + Task = "(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "37" + Task = "(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "39" + Task = "(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "40" + Task = "(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "41" + Task = "(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "44" + Task = "(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "46" + Task = "(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "50" + Task = "(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "52" + Task = "(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "53" + Task = "(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "54" + Task = "(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "55" + Task = "(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "56" + Task = "(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "57" + Task = "(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "59 A" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "59 B" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. (PCI\CC_0C0A)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" + + $expectedValue = "PCI\CC_0C0A" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "59 C" + Task = "(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. (DenyDeviceIDsRetroactive)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "60 A" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "60 B" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{d48179be-ec20-11d1-b6b8-00c04fa372a7}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 C" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Devices That Support the 61883 Protocol)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 D" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Devices That Support the AVC Protocol)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{c06ff265-ae09-48f0-812c-16753d7cba83}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 E" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (IEEE 1394 Host Bus Controller)" + Test = { + try { + $valueNames = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" + + $expectedValue = "{6bdd1fc1-810f-11d0-bec7-08002be2092f}" + + foreach ($obj in $valueNames.PSObject.Properties) { + if ($obj.Value -eq $expectedValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Registry value is missing: $expectedValue" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "60 F" + Task = "(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. (DenyDeviceClassesRetroactive)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "61" + Task = "(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "68" + Task = "(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "74" + Task = "(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "81" + Task = "(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "84" + Task = "(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "85" + Task = "(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "86" + Task = "(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "87" + Task = "(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "88" + Task = "(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM\BlockedCommands" ` + -Name "IgnoreDefaultList" ` + | Select-Object -ExpandProperty "IgnoreDefaultList" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "89" + Task = "(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm" ` + -Name "StandardUserAuthorizationFailureDuration" ` + | Select-Object -ExpandProperty "StandardUserAuthorizationFailureDuration" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "90" + Task = "(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Tpm" ` + -Name "StandardUserAuthorizationFailureIndividualThreshold" ` + | Select-Object -ExpandProperty "StandardUserAuthorizationFailureIndividualThreshold" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "94" + Task = "(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "95" + Task = "(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "96" + Task = "(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "SCRNSAVE.EXE" ` + | Select-Object -ExpandProperty "SCRNSAVE.EXE" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "97" + Task = "(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "98" + Task = "(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "99" + Task = "(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveTimeOut" ` + | Select-Object -ExpandProperty "ScreenSaveTimeOut" + + if (($regValue -gt 900 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "100 A" + Task = "(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitTextCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitTextCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "100 B" + Task = "(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "RestrictImplicitInkCollection" ` + | Select-Object -ExpandProperty "RestrictImplicitInkCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "101" + Task = "(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "102" + Task = "(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "103" + Task = "(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "106" + Task = "(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "107" + Task = "(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "109" + Task = "(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "112" + Task = "(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "113" + Task = "(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "114" + Task = "(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "115" + Task = "(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "116" + Task = "(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "117" + Task = "(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "118" + Task = "(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "119" + Task = "(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "120" + Task = "(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + $saferClients = @("*Server*", "*Education*", "*Enterprise*") + $productname = Get-ComputerInfo | select -ExpandProperty OsName + if (($productname -notcontains $saferClients) -and ($regValue -eq 1)) { + return @{ + Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'." + Status = "Warning" + } + } + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "121" + Task = "(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowDeviceNameInTelemetry" ` + | Select-Object -ExpandProperty "AllowDeviceNameInTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "124" + Task = "(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "126" + Task = "(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "127" + Task = "(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "131" + Task = "(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "134" + Task = "(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "135" + Task = "(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "136" + Task = "(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "137" + Task = "(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "138" + Task = "(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "139" + Task = "(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fResetBroken" ` + | Select-Object -ExpandProperty "fResetBroken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "142" + Task = "(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "143" + Task = "(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "145" + Task = "(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "146" + Task = "(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "147" + Task = "(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "148" + Task = "(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "149" + Task = "(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "152" + Task = "(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "153" + Task = "(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "157" + Task = "(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "158" + Task = "(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "159" + Task = "(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput" ` + -Name "AllowLinguisticDataCollection" ` + | Select-Object -ExpandProperty "AllowLinguisticDataCollection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "160" + Task = "(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -ne 99) { + return @{ + Message = "Registry value is '$regValue'. Expected: 99" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "161" + Task = "(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "162" + Task = "(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "163" + Task = "(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "164" + Task = "(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "165" + Task = "(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "167" + Task = "(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "168" + Task = "(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "169" + Task = "(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "170" + Task = "(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "171" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 A" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 B" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 C" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 D" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 E" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 F" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 G" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 H" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 I" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 J" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "172 K" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "173" + Task = "(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "174" + Task = "(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "175" + Task = "(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "177" + Task = "(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "178" + Task = "(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "180" + Task = "(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "181" + Task = "(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "183" + Task = "(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell" ` + -Name "ExecutionPolicy" ` + | Select-Object -ExpandProperty "ExecutionPolicy" + + if ($regValue -ne "RemoteSigned") { + return @{ + Message = "Registry value is '$regValue'. Expected: RemoteSigned" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "185" + Task = "(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "186" + Task = "(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "187" + Task = "(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "188" + Task = "(ND, NE) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "189" + Task = "(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "191" + Task = "(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "192" + Task = "(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "193" + Task = "(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "194" + Task = "(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "196" + Task = "(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "197" + Task = "(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "198" + Task = "(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "199" + Task = "(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "209" + Task = "(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "210" + Task = "(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "211" + Task = "(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "212" + Task = "(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "213" + Task = "(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "214" + Task = "(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "215" + Task = "(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "216" + Task = "(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "217" + Task = "(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "218" + Task = "(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "226" + Task = "(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "2") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "227" + Task = "(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "229" + Task = " Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "230" + Task = "(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "231" + Task = "(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "234" + Task = "(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "239" + Task = "(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "240" + Task = "(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "241" + Task = "(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "242" + Task = "(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "243" + Task = "(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "244" + Task = "(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "245" + Task = "(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'." + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "246" + Task = "(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. " + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "247" + Task = "(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "252" + Task = "(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "253" + Task = "(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "254" + Task = "(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "255" + Task = "(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "256" + Task = "(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "257" + Task = "(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "258" + Task = "(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "259" + Task = "(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "260" + Task = "(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "261" + Task = "(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "262" + Task = "(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "264" + Task = "(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "265" + Task = "(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "266" + Task = "(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "267" + Task = "(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "268" + Task = "(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "269" + Task = "(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "270" + Task = "(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "271" + Task = "(ND, NE) Configure 'Network access: Remotely accessible registry paths'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "272" + Task = "(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "275" + Task = "(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "276" + Task = "(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "317" + Task = "(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'." + Test = { + try { + $status = Get-Service DiagTrack -ErrorAction Stop | select -property starttype + if ($status.StartType -ne "Disabled") { + return @{ + Message = "Service not compliant. Currently: $($status)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException] { + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "320" + Task = "(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "321" + Task = "(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "323" + Task = "(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "324" + Task = "(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "326" + Task = "(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $result = Get-WindowsOptionalFeature -online -FeatureName Microsoft-Windows-Subsystem-Linux + $state = $result.State + if ($state -eq "Disabled" -or $state -eq "Not Installed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "Registry value is '$state'. Expected: 'Disabled' or 'Not Installed'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Value not found." + Status = "Error" + } + } + } +} +[AuditTest] @{ + Id = "328" + Task = "(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "331" + Task = "(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "338" + Task = "(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "339" + Task = "(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "341" + Task = "(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "343" + Task = "(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "345" + Task = "(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "348" + Task = "(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "349" + Task = "(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "351" + Task = "(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "356" + Task = "(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "357" + Task = "(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "358" + Task = "(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "359" + Task = "(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "360" + Task = "(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "365" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' ." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "366" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "367" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "368" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "369" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "370" + Task = "(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "371" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "372" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "373" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "374" + Task = "(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions.ps1 new file mode 100644 index 0000000..0f51558 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "235" + Task = "(ND, NE) Configure 'Accounts: Rename administrator account'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "236" + Task = "(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableAdminAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "237" + Task = "(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. " + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "238" + Task = "(ND, NE) Configure 'Accounts: Rename guest account'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "263" + Task = "(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights.ps1 new file mode 100644 index 0000000..b0a00fd --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights.ps1 @@ -0,0 +1,1385 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "277" + Task = "(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "278" + Task = "(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "279" + Task = "(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "280" + Task = "(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "282" + Task = "(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "284" + Task = "(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $missingUsers = @() + + #save all sids + foreach($sid in $currentUserRights.sid){ + $currentUserSIDs += $sid + } + #only these sids have to be in userRight + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + "S-1-2-0" + ) + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "285" + Task = "(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "286" + Task = "(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "287" + Task = "(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "288" + Task = "(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "289" + Task = "(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "290" + Task = "(ND, NE) Ensure 'Debug programs' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "291" + Task = "(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "292" + Task = "(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "294" + Task = "(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "295" + Task = "(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "296" + Task = "(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "297" + Task = "(ND, NE) Ensure 'Profile single process' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "298" + Task = "(ND, NE) Ensure 'Create a token object' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "299" + Task = "(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "300" + Task = "(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "300" + Task = "(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators, NT Virtual Machine'. [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "301" + Task = "(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "302" + Task = "(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "303" + Task = "(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "304" + Task = "(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "305" + Task = "(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "306" + Task = "(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "307" + Task = "(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "308" + Task = "(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "309" + Task = "(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "310" + Task = "(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' ." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "311" + Task = "(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "312" + Task = "(ND, NE) Ensure 'Modify an object label' is set to 'No One'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "313" + Task = "(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "314" + Task = "(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "315" + Task = "(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. " + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-7" + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings.ps1 new file mode 100644 index 0000000..85c7f0d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings.ps1 @@ -0,0 +1,289 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +if((Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise Evaluation" -or +(Get-WmiObject -class Win32_OperatingSystem).Caption -eq "Microsoft Windows 10 Enterprise"){ + [AuditTest] @{ + Id = "3.1.1" + Task = "Configuration of the lowest possible telemetry-level (Enterprise Windows 10)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +else{ + [AuditTest] @{ + Id = "3.1.1" + Task = "Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + $saferClients = @("*Server*","*Education*","*Enterprise*") + $productname = Get-ComputerInfo | select -ExpandProperty OsName + if (($productname -notcontains $saferClients) -and ($regValue -eq 1)){ + return @{ + Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'." + Status = "Warning" + } + } + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "3.1.2 A" + Task = "Deactivation of the telemetry service and ETW-sessions - disable service DiagTrack" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.2 B" + Task = "Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diagtrack-Listener" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.3 A" + Task = "Deactivation of telemetry according to Microsoft - Disable Windows Update Service" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.3 B" + Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPS" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1.3 C" + Task = "Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample files" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AccountPolicies.ps1 new file mode 100644 index 0000000..3819cd2 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AccountPolicies.ps1 @@ -0,0 +1,199 @@ +[AuditTest] @{ + Id = "Medium-001" + Task = "Ensure 'Account lockout duration' is set to 0" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 0)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x == 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-002" + Task = "Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-003" + Task = " Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x == 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-146" + Task = "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-147" + Task = "Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-148" + Task = "Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-149" + Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AuditPolicies.ps1 new file mode 100644 index 0000000..b303f1b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#AuditPolicies.ps1 @@ -0,0 +1,1217 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "Medium-041" + Task = "Ensure 'Audit Computer Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-042" + Task = "Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-043" + Task = "Ensure 'Audit Security Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-044" + Task = "Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-045" + Task = "Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-046" + Task = "Ensure 'Audit Process Termination' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Termination + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Termination" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Termination'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-047" + Task = "Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-048" + Task = "Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-049" + Task = "Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-050" + Task = "Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-051" + Task = "Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-052" + Task = "Ensure 'Audit Special Logon' is set to 'Success and Failure'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-053" + Task = "Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-054" + Task = "Ensure 'Audit File System' is set to 'Success and Failure'." + Test = { + # Get the audit policy for the subcategory File System + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File System" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File System'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-055" + Task = "Ensure 'Audit Kernel Object' is set to 'Success and Failure'." + Test = { + # Get the audit policy for the subcategory Kernel Object + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kernel Object" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kernel Object'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-056" + Task = "Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-057" + Task = "Ensure 'Audit Registry' is set to 'Success and Failure'." + Test = { + # Get the audit policy for the subcategory Registry + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Registry" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Registry'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-058" + Task = "Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-059" + Task = "Ensure 'Audit Other Policy Change Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-060" + Task = "Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#RegistrySettings.ps1 new file mode 100644 index 0000000..0bacceb --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#RegistrySettings.ps1 @@ -0,0 +1,12743 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +[AuditTest] @{ + Id = "High-001 A" + Task = "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 B" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 C" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 D" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 E" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 F" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 G" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 H" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 I" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block executable files from running unless they meet a prevalence, age, or trusted list criterion'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "01443614-CD74-433A-B99E-2ECDC07BFC25" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "01443614-CD74-433A-B99E-2ECDC07BFC25" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 J" + Task = "Ensure 'Configure Attack Surface Reduction rules: Use advanced protection against ransomware'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 K" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe))'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 L" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block process creations originating from PSExec and WMI commands)" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "D1E49AAC-8F56-4280-B9BA-993A6D77406C" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "D1E49AAC-8F56-4280-B9BA-993A6D77406C" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 M" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB' is configured" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 N" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 O" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-001 P" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-002" + Task = "Ensure 'Interactive logon' is configured 'Number of previous logons to cache (in case domain controller is not available)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-003" + Task = "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-004" + Task = "Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-005 A" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-005 B" + Task = "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-005 C" + Task = "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-006" + Task = "Ensure 'Configure allowed applications' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" ` + -Name "ExploitGuard_ControlledFolderAccess_AllowedApplications" ` + | Select-Object -ExpandProperty "ExploitGuard_ControlledFolderAccess_AllowedApplications" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-007" + Task = "Ensure 'Configure Controlled folder access' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" ` + -Name "EnableControlledFolderAccess" ` + | Select-Object -ExpandProperty "EnableControlledFolderAccess" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-008 A" + Task = "Ensure 'Configure protected folders' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" ` + -Name "ExploitGuard_ControlledFolderAccess_ProtectedFolders" ` + | Select-Object -ExpandProperty "ExploitGuard_ControlledFolderAccess_ProtectedFolders" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-008 B" + Task = "Ensure 'Configure protected folders' is set to 'Enter the folders that should be guarded'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-009" + Task = "Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-010" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-011" + Task = "Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-012" + Task = "Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrator" ` + | Select-Object -ExpandProperty "EnumerateAdministrator" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-013" + Task = "Ensure 'Require trusted path for credential entry' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnableSecureCredentialPrompting" ` + | Select-Object -ExpandProperty "EnableSecureCredentialPrompting" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-014" + Task = "Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-015" + Task = "Ensure 'Disable or enable software Secure Attention Sequence' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "SoftwareSASGeneration" ` + | Select-Object -ExpandProperty "SoftwareSASGeneration" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-016" + Task = "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-017" + Task = "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-018" + Task = "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good and unknown'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-019" + Task = "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-020" + Task = "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-021" + Task = "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-022" + Task = "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-023" + Task = "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-024" + Task = "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-025" + Task = "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-026" + Task = "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-027" + Task = "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-028 A" + Task = "Ensure 'Use a common set of exploit protection settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection" ` + -Name "ExploitProtectionSettings" ` + | Select-Object -ExpandProperty "ExploitProtectionSettings" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-028 B" + Task = "Ensure 'Use a common set of exploit protection settings' is configured 'Type the location (local path, UNC path, or URL) of the mitigation settings configuration XML file'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection" ` + -Name "ExploitProtectionSettings" ` + | Select-Object -ExpandProperty "ExploitProtectionSettings" + + if ($regValue -ne "*") { + return @{ + Message = "Registry value is '$regValue'. Expected: *" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-029" + Task = "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-030" + Task = "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-031" + Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-033" + Task = "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-034" + Task = "Ensure 'Allow download restrictions' is set to 'Enabled: Block potentially dangerous downloads'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "DownloadRestrictions" ` + | Select-Object -ExpandProperty "DownloadRestrictions" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-035" + Task = "Ensure 'Configure Do Not Track' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "DoNotTrack" ` + | Select-Object -ExpandProperty "DoNotTrack" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-036" + Task = "Ensure 'Control the mode of DNS-over-HTTPS' is set to 'Enabled': 'Disable DNS-over-HTTPS'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "DnsOverHttpsMode" ` + | Select-Object -ExpandProperty "DnsOverHttpsMode" + + if ($regValue -ne "off") { + return @{ + Message = "Registry value is '$regValue'. Expected: off" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-037" + Task = "Ensure 'Control where developer tools can be used' is configured 'Control where developer tools can be used'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "DeveloperToolsAvailability" ` + | Select-Object -ExpandProperty "DeveloperToolsAvailability" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-038" + Task = "Ensure 'DNS interception checks enabled' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "DNSInterceptionChecksEnabled" ` + | Select-Object -ExpandProperty "DNSInterceptionChecksEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-039" + Task = "Ensure 'Default pop-up window setting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "DefaultPopupsSetting" ` + | Select-Object -ExpandProperty "DefaultPopupsSetting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-040" + Task = "Ensure 'Enable saving passwords to the password manager' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\Recommended" ` + -Name "PasswordManagerEnabled" ` + | Select-Object -ExpandProperty "PasswordManagerEnabled" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-041" + Task = "Ensure 'Configure Microsoft Defender SmartScreen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "SmartScreenEnabled" ` + | Select-Object -ExpandProperty "SmartScreenEnabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-042" + Task = "Ensure 'Prevent bypassing Microsoft Defender SmartScreen prompts for sites' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverride" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverride" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-043" + Task = "Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge" ` + -Name "PreventSmartScreenPromptOverrideForFiles" ` + | Select-Object -ExpandProperty "PreventSmartScreenPromptOverrideForFiles" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-044" + Task = "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-045" + Task = "Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-046" + Task = "Ensure 'Use the Enterprise Mode IE website list' is set to 'Enabled': 'Type the location (URL) of your Enterprise Mode IE website list'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" ` + -Name "SiteList" ` + | Select-Object -ExpandProperty "SiteList" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-047" + Task = "Ensure 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" ` + -Name "RestrictIE" ` + | Select-Object -ExpandProperty "RestrictIE" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-048" + Task = "Ensure 'Allow Automatic Updates immediate installation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "AutoInstallMinorUpdates" ` + | Select-Object -ExpandProperty "AutoInstallMinorUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-049 A" + Task = "Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-049 B" + Task = " Ensure 'Configure Automatic Updates' is set to '4 - Auto download and schedule the install'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "AUOptions" ` + | Select-Object -ExpandProperty "AUOptions" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-049 C" + Task = "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-049 D" + Task = "Ensure 'Configure Automatic Updates' is configured 'Install updates for other Microsoft products'" + Test = { + try { + $regValue1 = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services" ` + -Name "DefaultService" ` + | Select-Object -ExpandProperty "DefaultService" + $regValue2 = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971F918-A847-4430-9279-4A52D1EFE18D" ` + -Name "RegisteredWithAU" ` + | Select-Object -ExpandProperty "RegisteredWithAU" + if ($regValue1 -eq "7971f918-a847-4430-9279-4a52d1efe18d" -and $regValue2 -eq 1) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { + try { + $regValue3 = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "AllowMUUpdateService" ` + | Select-Object -ExpandProperty "AllowMUUpdateService" + $regValue4 = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + if ($regValue3 -eq 1 -and $regValue4 -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException], [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "At least one of the following ways aren't configured correctly.
+ Configure these to paths to get compliance:
+ HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services:DefaultService = 7971f918-a847-4430-9279-4a52d1efe18d
+ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971F918-A847-4430-9279-4A52D1EFE18D:RegisteredWithAU = 1
+ OR configure these:
+ HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU:AllowMUUpdateService = 1
+ HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU:NoAutoUpdate = 0 + " + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "High-050" + Task = "Ensure 'Do not include drivers with Windows Updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ExcludeWUDriversInQualityUpdate" ` + | Select-Object -ExpandProperty "ExcludeWUDriversInQualityUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-051" + Task = "Ensure 'Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "AUPowerManagement" ` + | Select-Object -ExpandProperty "AUPowerManagement" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-052" + Task = "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-053" + Task = "Ensure 'Remove access to use all Windows Update features' is disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" ` + -Name "DisableWindowsUpdateAccess" ` + | Select-Object -ExpandProperty "DisableWindowsUpdateAccess" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-054" + Task = "Ensure 'Turn on recommended updates via Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "IncludeRecommendedUpdates" ` + | Select-Object -ExpandProperty "IncludeRecommendedUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "High-055" + Task = "Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "UseWUServer" ` + | Select-Object -ExpandProperty "UseWUServer" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-004" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-006" + Task = "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-007" + Task = "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-008" + Task = "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-009" + Task = "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-010" + Task = "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-011" + Task = "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-012" + Task = "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-015" + Task = "Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-016" + Task = "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-017" + Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "DisableBlockAtFirstSeen" ` + | Select-Object -ExpandProperty "DisableBlockAtFirstSeen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-018" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Enabled': 'Advanced MAPS'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-019" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-020" + Task = "Ensure 'Configure extended cloud check' is set to 'Enabled' and set to '50'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "MpBafsExtendedTimeout" ` + | Select-Object -ExpandProperty "MpBafsExtendedTimeout" + + if ($regValue -ne 50) { + return @{ + Message = "Registry value is '$regValue'. Expected: 50" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-021" + Task = "Ensure 'Select cloud protection level' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "MpCloudBlockLevel" ` + | Select-Object -ExpandProperty "MpCloudBlockLevel" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-022" + Task = "Ensure 'Configure removal of items from Quarantine folder' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Quarantine" ` + -Name "PurgeItemsAfterDelay" ` + | Select-Object -ExpandProperty "PurgeItemsAfterDelay" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-023" + Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-024" + Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-025" + Task = "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-026" + Task = " Ensure 'Turn on process scanning whenever real-time protection is enabled' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScanOnRealtimeEnable" ` + | Select-Object -ExpandProperty "DisableScanOnRealtimeEnable" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-027" + Task = "Ensure 'Allow users to pause scan' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Scan" ` + -Name "AllowPause" ` + | Select-Object -ExpandProperty "AllowPause" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-028" + Task = "Ensure 'Check for the latest virus and spyware definitions before running a scheduled scan' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Scan" ` + -Name "CheckForSignaturesBeforeRunningScan" ` + | Select-Object -ExpandProperty "CheckForSignaturesBeforeRunningScan" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-029" + Task = "Ensure 'Scan archive files' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableArchiveScanning" ` + | Select-Object -ExpandProperty "DisableArchiveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-030" + Task = "Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-031" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-032" + Task = "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-033" + Task = "Ensure 'Turn on heuristics' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableHeuristics" ` + | Select-Object -ExpandProperty "DisableHeuristics" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-034" + Task = "Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-035" + Task = "Ensure 'Hide mechanisms to remove zone information' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "HideZoneInfoOnProperties" ` + | Select-Object -ExpandProperty "HideZoneInfoOnProperties" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-036" + Task = "Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-037" + Task = "Ensure 'Specify the maximum log file size (KB)' is configured 'Maximum Log Size (KB): 65536' (Application)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -ne 65536)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-038" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '2097152' (Security)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 2097152) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2097152" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-039" + Task = "Ensure 'Specify the maximum log file size (KB)' is configured 'Maximum Log Size (KB): 65536' (System)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -ne 65536)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-061" + Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-062" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-063" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-064" + Task = "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-065" + Task = "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-066" + Task = "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-067" + Task = "Ensure 'Route all traffic through the internal network' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "Force_Tunneling" ` + | Select-Object -ExpandProperty "Force_Tunneling" + + if ($regValue -ne "Enabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Enabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-068" + Task = "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-070" + Task = "Ensure 'Remove CD Burning features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoCDBurning" ` + | Select-Object -ExpandProperty "NoCDBurning" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-071" + Task = "Ensure 'Prevent access to the command prompt' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableCMD" ` + | Select-Object -ExpandProperty "DisableCMD" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-072 A" + Task = "Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-072 B" + Task = "Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Prevent installation of devices that match any of these Device IDs: PCI\CC_0C0010'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "PCI\CC_0C0010") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0010" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-072 C" + Task = "Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Prevent installation of devices that match any of these Device IDs: PCI\CC_0C0A'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "5" ` + | Select-Object -ExpandProperty "5" + + if ($regValue -ne "PCI\CC_0C0A") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0A" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-072 D" + Task = "Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Also apply to matching devices that are already installed'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-073 A" + Task = "Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-073 B" + Task = "Prevent installation of devices using drivers that match these device setup classes: 'Prevent installation of devices using drivers for these device setup classes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-073 C" + Task = "Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured 'Also apply to matching devices that are already installed.'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-074 A" + Task = "Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled': 'XTS-AES 128-bit'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EncryptionMethodWithXtsOs" ` + | Select-Object -ExpandProperty "EncryptionMethodWithXtsOs" + + if (($regValue -ne 6)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-074 B" + Task = "Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'XTS-AES 128-bit'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EncryptionMethodWithXtsFdv" ` + | Select-Object -ExpandProperty "EncryptionMethodWithXtsFdv" + + if (($regValue -ne 6)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-074 C" + Task = "Ensure 'Select the encryption method for removable data drives' is configured 'XTS-AES 128-bit'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EncryptionMethodWithXtsRdv" ` + | Select-Object -ExpandProperty "EncryptionMethodWithXtsRdv" + + if (($regValue -ne 6)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-075" + Task = "Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-076" + Task = "Ensure 'Prevent memory overwrite on restart' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "MorBehavior" ` + | Select-Object -ExpandProperty "MorBehavior" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 A" + Task = "Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 B" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Allow data recovery agent'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 C" + Task = "Ensure 'Configure user storage of BitLocker recovery information' is set to 'Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 D" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 E" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Omit recovery options from the BitLocker setup wizard'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 F" + Task = "Ensure 'Configure storage of BitLocker recovery information to AD DS' is set to 'Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 G" + Task = "Ensure 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-077 H" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Save BitLocker recovery information to AD DS for fixed data drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-078 A" + Task = "Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-078 B" + Task = "Ensure 'Require password for fixed data drive' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVEnforcePassphrase" ` + | Select-Object -ExpandProperty "FDVEnforcePassphrase" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-078 C" + Task = "Ensure 'Configure password complexity for fixed data drives' is set to 'Require password complexity'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphraseComplexity" ` + | Select-Object -ExpandProperty "FDVPassphraseComplexity" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-078 D" + Task = "Ensure 'Minimum password length for fixed data drive' is set to 14." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphraseLength" ` + | Select-Object -ExpandProperty "FDVPassphraseLength" + + if (($regValue -ne 14)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-079" + Task = "Ensure 'Deny write access to fixed drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "FDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "FDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-080" + Task = "Ensure 'Enforce drive encryption type on fixed data drives' is set to 'Enabled' and 'Full encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVEncryptionType" ` + | Select-Object -ExpandProperty "FDVEncryptionType" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-081" + Task = "Ensure 'Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSEnablePreBootPinExceptionOnDECapableDevice" ` + | Select-Object -ExpandProperty "OSEnablePreBootPinExceptionOnDECapableDevice" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-082" + Task = "Ensure 'Allow enhanced PINs for startup' is set 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-083" + Task = "Ensure 'Allow network unlock at startup' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageNKP" ` + | Select-Object -ExpandProperty "OSManageNKP" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-084" + Task = "Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-085 A" + Task = "Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-085 B" + Task = "Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-085 C" + Task = "Ensure 'When using ‘BitLocker Management Solution', the `"Save BitLocker recovery information to AD DS for operating system drive`" option should be unchecked' is set to 'Omit recovery options from the BitLocker setup wizard'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-085 D" + Task = "Ensure 'Save BitLocker recovery information to AD DS for operating system drives' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-085 E" + Task = "Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-086" + Task = "Ensure 'Configure minimum PIN length for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "MinimumPIN" ` + | Select-Object -ExpandProperty "MinimumPIN" + + if ($regValue -ne 14) { + return @{ + Message = "Registry value is '$regValue'. Expected: 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-087 A" + Task = "Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-087 B" + Task = "Ensure 'Minimum password length for operating system drive' is set to 14." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphraseLength" ` + | Select-Object -ExpandProperty "OSPassphraseLength" + + if (($regValue -ne 14)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-087 C" + Task = "Ensure 'Configure use of passwords for operating system drives' is set to 'Require password complexity'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphraseComplexity" ` + | Select-Object -ExpandProperty "OSPassphraseComplexity" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-088" + Task = "Ensure 'Disallow standard users from changing the PIN or password' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "DisallowStandardUserPINReset" ` + | Select-Object -ExpandProperty "DisallowStandardUserPINReset" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-089" + Task = "Ensure 'Enforce drive encryption type on operating system drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSEncryptionType" ` + | Select-Object -ExpandProperty "OSEncryptionType" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 A" + Task = "Ensure 'Require additional authentication at startup' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 B" + Task = "Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 C" + Task = "Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPM" ` + | Select-Object -ExpandProperty "UseTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 D" + Task = "Ensure 'Configure TPM startup PIN' is set to 'Allow startup PIN with TPM'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMPIN" ` + | Select-Object -ExpandProperty "UseTPMPIN" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 E" + Task = "Ensure 'Configure TPM startup key' is set so 'Allow startup key with TPM'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKey" ` + | Select-Object -ExpandProperty "UseTPMKey" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-090 F" + Task = "Ensure 'Configure TPM startup key and PIN' is set to 'Allow startup key and PIN with TPM'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKeyPIN" ` + | Select-Object -ExpandProperty "UseTPMKeyPIN" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-091" + Task = "Ensure 'Reset platform validation data after BitLocker recovery' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "TPMAutoReseal" ` + | Select-Object -ExpandProperty "TPMAutoReseal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 A" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 B" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 C" + Task = "Ensure 'Configure user storage of BitLocker recovery information' is set to 'Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 D" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 E" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 F" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 G" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-092 H" + Task = "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-093 A" + Task = "Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-093 B" + Task = "Ensure 'Configure use of passwords for removable data drives' is set to 'Require password for removable data drive'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVEnforcePassphrase" ` + | Select-Object -ExpandProperty "RDVEnforcePassphrase" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-093 C" + Task = "Ensure 'Configure use of passwords for removable data drives' is set to 'Configure password complexity for removable data drives: Require password complexity'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphraseComplexity" ` + | Select-Object -ExpandProperty "RDVPassphraseComplexity" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-093 D" + Task = "Ensure 'Configure use of passwords for removable data drives' is set to 'Minimum password length for removable data drive: 14'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphraseLength" ` + | Select-Object -ExpandProperty "RDVPassphraseLength" + + if (($regValue -ne 14)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-094 A" + Task = "Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVConfigureBDE" ` + | Select-Object -ExpandProperty "RDVConfigureBDE" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-094 B" + Task = "Ensure 'Control use of BitLocker on removable drives' is set to 'Allow users to suspend and decrypt BitLocker protection on removable data drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDisableBDE" ` + | Select-Object -ExpandProperty "RDVDisableBDE" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-095" + Task = "Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-096" + Task = "Ensure 'Enforce drive encryption type on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVEncryptionType" ` + | Select-Object -ExpandProperty "RDVEncryptionType" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-097" + Task = "Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-098" + Task = "Ensure 'All Removable Storage classes: Deny all access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices" ` + -Name "Deny_All" ` + | Select-Object -ExpandProperty "Deny_All" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-099" + Task = "Ensure 'CD and DVD: Deny execute access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Execute" ` + | Select-Object -ExpandProperty "Deny_Execute" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-100" + Task = "Ensure 'CD and DVD: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-101" + Task = "Ensure 'CD and DVD: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-102" + Task = "Ensure 'Custom Classes: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-103" + Task = "Ensure 'Custom Classes: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-104" + Task = " Ensure 'Floppy Drives: Deny execute access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Execute" ` + | Select-Object -ExpandProperty "Deny_Execute" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-105" + Task = " Ensure 'Floppy Drives: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-106" + Task = " Ensure 'Floppy Drives: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-107" + Task = "Ensure 'Removable Disks: Deny execute access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Execute" ` + | Select-Object -ExpandProperty "Deny_Execute" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-108" + Task = " Ensure 'Removable Disks: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-109" + Task = " Ensure 'Removable Disks: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-110" + Task = "Ensure 'Tape Drives: Deny execute access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Execute" ` + | Select-Object -ExpandProperty "Deny_Execute" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-111" + Task = "Ensure 'Tape Drives: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-112" + Task = " Ensure 'Tape Drives: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-113 A" + Task = " Ensure 'WPD Devices: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-113 B" + Task = " Ensure 'WPD Devices: Deny read access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}" ` + -Name "Deny_Read" ` + | Select-Object -ExpandProperty "Deny_Read" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-114 A" + Task = "Ensure 'WPD Devices: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-114 B" + Task = "Ensure 'WPD Devices: Deny write access' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}" ` + -Name "Deny_Write" ` + | Select-Object -ExpandProperty "Deny_Write" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-115" + Task = "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup" ` + -Name "DisableHomeGroup" ` + | Select-Object -ExpandProperty "DisableHomeGroup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-116" + Task = "Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-117 A" + Task = "Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-117 B" + Task = "Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-118" + Task = "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{b973a728-3951-46bc-86fa-7877b6d5f1f1}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-119" + Task = "Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-120" + Task = "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-121" + Task = "Ensure 'Turn off Local Group Policy Objects processing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLGPOProcessing" ` + | Select-Object -ExpandProperty "DisableLGPOProcessing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-122 A" + Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-122 B" + Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-123" + Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-124" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-125" + Task = "Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-126" + Task = "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-128" + Task = "Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-129" + Task = "Ensure 'Do not process the legacy run list' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "DisableLocalMachineRun" ` + | Select-Object -ExpandProperty "DisableLocalMachineRun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-130" + Task = "Ensure 'Do not process the run once list' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "DisableLocalMachineRunOnce" ` + | Select-Object -ExpandProperty "DisableLocalMachineRunOnce" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-131" + Task = "Ensure 'Run these programs at user logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" ` + -Name "23" ` + | Select-Object -ExpandProperty "23" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-132" + Task = "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-133" + Task = "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-134" + Task = "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-135" + Task = "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-136" + Task = "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-137" + Task = "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-138" + Task = "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-139" + Task = "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-140" + Task = "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-141" + Task = "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-142" + Task = "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-143" + Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-144" + Task = "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-145" + Task = "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-150" + Task = "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-151" + Task = "Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-152" + Task = "Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-153" + Task = "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\d72ad9cc-1704-43b0-95d7-bda7b5432eea" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-154" + Task = "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-155" + Task = "Ensure 'Specify the system hibernate timeout (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-156" + Task = "Ensure 'Specify the system hibernate timeout (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-157" + Task = "Ensure 'Specify the system sleep timeout (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-158" + Task = " Ensure 'Specify the system sleep timeout (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-159" + Task = "Ensure 'Specify the unattended sleep timeout (on battery)' is set to 'Enabled: Unattended Sleep Timeout (seconds): 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-160" + Task = "Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled' and '0 seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-161" + Task = "Ensure 'Turn off hybrid sleep (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-162" + Task = " Ensure 'Turn off hybrid sleep (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-163" + Task = "Ensure 'Show hibernate in the power options menu' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "ShowHibernateOption" ` + | Select-Object -ExpandProperty "ShowHibernateOption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-164" + Task = "Ensure 'Show sleep in the power options menu' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "ShowSleepOption" ` + | Select-Object -ExpandProperty "ShowSleepOption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-165" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-166 A" + Task = "Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell" ` + -Name "ExecutionPolicy" ` + | Select-Object -ExpandProperty "ExecutionPolicy" + + if ($regValue -ne "AllSigned") { + return @{ + Message = "Registry value is '$regValue'. Expected: AllSigned" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-166 B" + Task = "Ensure 'Turn on Script Execution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell" ` + -Name "EnableScripts" ` + | Select-Object -ExpandProperty "EnableScripts" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-167" + Task = "Ensure 'Prevent access to registry editing tools' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableRegistryTools" ` + | Select-Object -ExpandProperty "DisableRegistryTools" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-168" + Task = "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-169" + Task = "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-170" + Task = "Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-172" + Task = "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-173" + Task = "Ensure 'Configure server authentication for client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "AuthenticationLevel" ` + | Select-Object -ExpandProperty "AuthenticationLevel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-174" + Task = "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-175" + Task = "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-176" + Task = "Ensure 'Deny logoff of an administrator logged in to the console session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableForcibleLogoff" ` + | Select-Object -ExpandProperty "fDisableForcibleLogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-177" + Task = "Ensure 'Do not allow Clipboard redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableClip" ` + | Select-Object -ExpandProperty "fDisableClip" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-178" + Task = "Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-179" + Task = "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-180" + Task = "Ensure 'Do not allow local administrators to customize permissions' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fWritableTSCCPermTab" ` + | Select-Object -ExpandProperty "fWritableTSCCPermTab" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-181" + Task = "Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-182" + Task = "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-183" + Task = "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-184" + Task = "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-187" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-188" + Task = "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-189" + Task = "Ensure 'Turn off Inventory Collector' is set to 'Enabled'" + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-190" + Task = "Ensure 'Turn off Steps Recorder' is set to 'Enabled'" + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableUAR" ` + | Select-Object -ExpandProperty "DisableUAR" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-191" + Task = "Ensure 'Allow Telemetry' is set to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + $saferClients = @("*Server*", "*Education*", "*Enterprise*") + $productname = Get-ComputerInfo | select -ExpandProperty OsName + if (($productname -notcontains $saferClients) -and ($regValue -eq 1)) { + return @{ + Message = "Registry value is '$regValue'. Your OS $productname does not support 'Diagnostic data off'." + Status = "Warning" + } + } + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-192 A" + Task = "Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "CorporateWerServer" ` + | Select-Object -ExpandProperty "CorporateWerServer" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-192 B" + Task = "Ensure 'Configure Corporate Windows Error Reporting' is set to 'Connect using SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "CorporateWerUseSSL" ` + | Select-Object -ExpandProperty "CorporateWerUseSSL" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-192 C" + Task = "Ensure 'Configure Corporate Windows Error Reporting' has configured Server Port" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "CorporateWerPortNumber" ` + | Select-Object -ExpandProperty "CorporateWerPortNumber" + + if (($regValue -lt 0 -or $regValue -gt 65535)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 0 and x <= 65535" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-193" + Task = "Ensure 'SafeModeBlockNonAdmins' is set to 1" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "SafeModeBlockNonAdmins" ` + | Select-Object -ExpandProperty "SafeModeBlockNonAdmins" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-194" + Task = "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-195" + Task = "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-196" + Task = "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-197" + Task = "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-198" + Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-199" + Task = "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-200" + Task = "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-201" + Task = "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-202" + Task = "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-203" + Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-204" + Task = "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-205" + Task = "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-206" + Task = "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-207" + Task = "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-209" + Task = "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-210" + Task = "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-211" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-212" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-213" + Task = "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Medium-214" + Task = "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Medium-215" + Task = "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-216" + Task = "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-217" + Task = "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Medium-218" + Task = "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Medium-219" + Task = "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-220" + Task = "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-221" + Task = "Ensure 'Allow users to select when a password is required when resuming from connected standby' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainDelayLock" ` + | Select-Object -ExpandProperty "AllowDomainDelayLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-222" + Task = "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-223" + Task = "Ensure 'Show lock in the user tile menu' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "ShowLockOption" ` + | Select-Object -ExpandProperty "ShowLockOption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-224" + Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-225" + Task = "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-226" + Task = "Ensure 'Enable screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-227" + Task = "Ensure 'Password protect the screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-228" + Task = "Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveTimeOut" ` + | Select-Object -ExpandProperty "ScreenSaveTimeOut" + + if (($regValue -lt 0 -or $regValue -gt 599940)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 0 and x <= 599940" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-229" + Task = "Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-230" + Task = "Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-231" + Task = "Ensure 'Do not allow Sound Recorder to run' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SoundRecorder" ` + -Name "Soundrec" ` + | Select-Object -ExpandProperty "Soundrec" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-254" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-255" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-256" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-257" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-258" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-259" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-260" + Task = "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-261" + Task = "Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-262" + Task = "Ensure 'Don’t search the web or display web results in Search' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchUseWeb" ` + | Select-Object -ExpandProperty "ConnectedSearchUseWeb" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-263" + Task = "Ensure 'Use FIPS compliant algorithms for encryption, hashing and signing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Centrify\CentrifyDC\Settings\Fips" ` + -Name "fips.mode.enable" ` + | Select-Object -ExpandProperty "fips.mode.enable" + + if ($regValue -ne "true") { + return @{ + Message = "Registry value is '$regValue'. Expected: true" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-001" + Task = "Ensure 'Remove Security tab' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoSecurityTab" ` + | Select-Object -ExpandProperty "NoSecurityTab" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-002" + Task = "Ensure 'Turn off location' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-003" + Task = "Ensure 'Turn off location scripting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocationScripting" ` + | Select-Object -ExpandProperty "DisableLocationScripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-004" + Task = "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableWindowsLocationProvider" ` + | Select-Object -ExpandProperty "DisableWindowsLocationProvider" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-005" + Task = "Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-006" + Task = "Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Low-007" + Task = "Ensure 'Determine if interactive users can generate Resultant Set of Policy data' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DenyRsopToInteractiveUser" ` + | Select-Object -ExpandProperty "DenyRsopToInteractiveUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#SecurityOptions.ps1 new file mode 100644 index 0000000..7f15ad4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#SecurityOptions.ps1 @@ -0,0 +1,110 @@ +[AuditTest] @{ + Id = "High-032" + Task = "Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableAdminAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-005" + Task = "Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-069" + Task = "Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Medium-208" + Task = "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#UserRights.ps1 new file mode 100644 index 0000000..622ad50 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-ACSC-21H1#UserRights.ps1 @@ -0,0 +1,926 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "Medium-013" + Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-014" + Task = "Ensure 'Deny access to this computer from the network' is set to 'NT AUTHORITY\Local Account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-040" + Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-171" + Task = "Ensure 'Deny log on through Remote Desktop Services' is set to 'Administrators, NT AUTHORITY\Local Account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-185" + Task = "Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-232" + Task = "Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-233" + Task = "Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-234" + Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-235" + Task = "Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-236" + Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-240" + Task = "Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-241" + Task = "Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-242" + Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-243" + Task = "Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-244" + Task = "Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-245" + Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-246" + Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-247" + Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + "S-1-5-32-568" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-248" + Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-249" + Task = "Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-250" + Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-251" + Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-252" + Task = "Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "Medium-253" + Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..f6c9c43 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AccountPolicies.ps1 @@ -0,0 +1,283 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 365 -or $setPolicy -le 0) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 1) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..01bc89f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#AuditPolicies.ps1 @@ -0,0 +1,1616 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..734c19b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#RegistrySettings.ps1 @@ -0,0 +1,17452 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if (($regValue -ne 537395200)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 1 - 'User is prompted when the key is first used' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $result = Get-WindowsOptionalFeature -online -FeatureName Microsoft-Windows-Subsystem-Linux + $state = $result.State + if($state -eq "Disabled" -or $state -eq "Not Installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + else{ + return @{ + Message = "Registry value is '$state'. Expected: 'Disabled' or 'Not Installed'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException]{ + return @{ + Message = "Value not found." + Status = "Error" + } + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.39" + Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.40" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.41" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.42" + Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.43" + Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.44" + Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.45" + Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'LSA Protection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($null -eq $regValue -or 0 -eq $regValue -or $regValue -gt 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.23.2.1" + Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "PCI\CC_0C0A") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0A" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.4" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 A" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the SBP2 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 B" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the IEC-61883 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 C" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the AVC Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "{c06ff265-ae09-48f0-812c-16753d7cba83}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {c06ff265-ae09-48f0-812c-16753d7cba83}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 D" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 Host Bus Controller Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "{6bdd1fc1-810f-11d0-bec7-08002be2092f}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {6bdd1fc1-810f-11d0-bec7-08002be2092f}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.6" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "BackupDirectory" ` + | Select-Object -ExpandProperty "BackupDirectory" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.3" + Task = "(L1) Ensure 'Enable password encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "ADPasswordEncryptionEnabled" ` + | Select-Object -ExpandProperty "ADPasswordEncryptionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if (($regValue -lt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30 -or $regValue -lt 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x >= 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.7" + Task = "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationResetDelay" ` + | Select-Object -ExpandProperty "PostAuthenticationResetDelay" + + if (($regValue -gt 8 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 8 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.8" + Task = "(L1) Ensure 'Post-authentication actions: Actions' is set to 3 - 'Enabled: Reset the password and logoff the managed account' or 5 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationActions" ` + | Select-Object -ExpandProperty "PostAuthenticationActions" + + if (($regValue -ne 3) -and ($regValue -ne 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 3 or x == 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2" + Task = "(NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "ConfigureLsaProtectedProcess" ` + | Select-Object -ExpandProperty "ConfigureLsaProtectedProcess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.5" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.6" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.2" + Task = "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx" ` + -Name "BlockNonAdminUserInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminUserInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.1" + Task = "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.2" + Task = "(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if (($regValue -ne 2) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if (($regValue -ne 2) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHardwareEncryption" ` + | Select-Object -ExpandProperty "FDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.11" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.12" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.13" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.2" + Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.10" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHardwareEncryption" ` + | Select-Object -ExpandProperty "OSHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.12" + Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.13" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.14" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.15" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPM" ` + | Select-Object -ExpandProperty "UseTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.16" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMPIN" ` + | Select-Object -ExpandProperty "UseTPMPIN" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.17" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKey" ` + | Select-Object -ExpandProperty "UseTPMKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.18" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKeyPIN" ` + | Select-Object -ExpandProperty "UseTPMKeyPIN" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHardwareEncryption" ` + | Select-Object -ExpandProperty "RDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.11" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.12" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.13" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.14" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.15" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.4" + Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.3" + Task = "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.1" + Task = "(L1) Ensure 'Download Mode' is NOT set to 3 - 'Enabled: Internet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -notmatch "^(0|1|2|99|100)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(0|1|2|99|100)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.4" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.34.1" + Task = "(L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "NotifyDisableIEOptions" ` + | Select-Object -ExpandProperty "NotifyDisableIEOptions" + + $idMapping = @{ + 0 = "Don't notify" + 1 = "Always notify" + 2 = "Notify once" + } + return @{ + Message = "Compliant. Following setting is set: " + $idMapping[$regValue] + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.36.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.40.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.1" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.2" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.3" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.1" + Task = "(NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AuditApplicationGuard" ` + | Select-Object -ExpandProperty "AuditApplicationGuard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.2" + Task = "(NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowCameraMicrophoneRedirection" ` + | Select-Object -ExpandProperty "AllowCameraMicrophoneRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.3" + Task = "(NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowPersistence" ` + | Select-Object -ExpandProperty "AllowPersistence" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.4" + Task = "(NG) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "SaveFilesToHost" ` + | Select-Object -ExpandProperty "SaveFilesToHost" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5" + Task = "(NG) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AppHVSIClipboardSettings" ` + | Select-Object -ExpandProperty "AppHVSIClipboardSettings" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6" + Task = "(NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.49.1" + Task = "(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" ` + -Name "EnableFeeds" ` + | Select-Object -ExpandProperty "EnableFeeds" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.55.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.3" + Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.4" + Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortanaAboveLock" ` + | Select-Object -ExpandProperty "AllowCortanaAboveLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.5" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.6" + Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.7" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.62.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.65.1" + Task = "(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.65.2" + Task = "(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RequirePrivateStoreOnly" ` + | Select-Object -ExpandProperty "RequirePrivateStoreOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.65.3" + Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.65.4" + Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.65.5" + Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.71.1" + Task = "(L1) Ensure 'Allow widgets' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" ` + -Name "AllowNewsAndInterests" ` + | Select-Object -ExpandProperty "AllowNewsAndInterests" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.77.1" + Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowClipboardRedirection" ` + | Select-Object -ExpandProperty "AllowClipboardRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.2" + Task = "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowNetworking" ` + | Select-Object -ExpandProperty "AllowNetworking" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.3" + Task = "(L1) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..0cd9c29 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#UserRights.ps1 new file mode 100644 index 0000000..cfee1ad --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-CIS-3.0.0#UserRights.ps1 @@ -0,0 +1,1488 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-113" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AccountPolicies.ps1 new file mode 100644 index 0000000..ba3fa09 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "V-63405" + Task = "Windows 10 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63409" + Task = "The number of allowed bad logon attempts must be configured to 3 or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63413" + Task = "The period of time before the bad logon counter is reset must be configured to 15 minutes." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63415" + Task = "The password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63419" + Task = "The maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -eq 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63421" + Task = "The minimum password age must be configured to at least 1 day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63423" + Task = "Passwords must, at a minimum, be 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63427" + Task = "The built-in Microsoft password complexity filter must be enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63429" + Task = "Reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AuditPolicies.ps1 new file mode 100644 index 0000000..d326eb9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#AuditPolicies.ps1 @@ -0,0 +1,1559 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "V-63431 + V-63435" + Task = "The system must be configured to audit Account Logon - Credential Validation failures. The system must be configured to audit Account Logon - Credential Validation successes." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63445" + Task = "The system must be configured to audit Account Management - Security Group Management successes." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63447 + V-63449" + Task = "The system must be configured to audit Account Management - User Account Management failures. The system must be configured to audit Account Management - User Account Management successes." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63451" + Task = "The system must be configured to audit Detailed Tracking - PNP Activity successes." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63453" + Task = "The system must be configured to audit Detailed Tracking - Process Creation successes." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63457" + Task = "The system must be configured to audit Logon/Logoff - Group Membership successes." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63459" + Task = "The system must be configured to audit Logon/Logoff - Logoff successes." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63463 + V-63467" + Task = "The system must be configured to audit Logon/Logoff - Logon failures. The system must be configured to audit Logon/Logoff - Logon successes." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63469" + Task = "The system must be configured to audit Logon/Logoff - Special Logon successes." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63471 + V-63473" + Task = "The system must be configured to audit Object Access - Removable Storage failures. The system must be configured to audit Object Access - Removable Storage successes." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63479" + Task = "The system must be configured to audit Policy Change - Audit Policy Change successes." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63481" + Task = "The system must be configured to audit Policy Change - Authentication Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63483 + V-63487" + Task = "The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. The system must be configured to audit Privilege Use - Sensitive Privilege Use successes." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63491" + Task = "The system must be configured to audit System - IPSec Driver failures." + Test = { + # Get the audit policy for the subcategory IPSec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPSec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPSec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63499 + V-63503" + Task = "The system must be configured to audit System - Other System Events successes. The system must be configured to audit System - Other System Events failures." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63507" + Task = "The system must be configured to audit System - Security State Change successes." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63513" + Task = "The system must be configured to audit System - Security System Extension successes." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63515 + V-63517" + Task = "The system must be configured to audit System - System Integrity failures. The system must be configured to audit System - System Integrity successes." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-71759" + Task = "The system must be configured to audit Logon/Logoff - Account Lockout failures." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-71761" + Task = "The system must be configured to audit Policy Change - Authorization Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-74409 + V-74411" + Task = "Windows 10 must be configured to audit Object Access - Other Object Access Events failures. Windows 10 must be configured to audit Object Access - Other Object Access Events successes." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-74721 + V-75027" + Task = "Windows 10 must be configured to audit Object Access - File Share successes. Windows 10 must be configured to audit Object Access - File Share failures." + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-99541 + V-99543" + Task = "Windows 10 must be configured to audit other Logon/Logoff Events Failures. Windows 10 must be configured to audit other Logon/Logoff Events Successes." + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-99545" + Task = "Windows 10 must be configured to audit Detailed File Share Failures." + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-99547 + V-99549" + Task = "Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes. Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures." + Test = { + # Get the audit policy for the subcategory MPSSVC Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "MPSSVC Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'MPSSVC Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-99551 + V-99553" + Task = "Windows 10 must be configured to audit Other Policy Change Events Successes. Windows 10 must be configured to audit Other Policy Change Events Failures." + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#RegistrySettings.ps1 new file mode 100644 index 0000000..d20d84c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#RegistrySettings.ps1 @@ -0,0 +1,4142 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +[AuditTest] @{ + Id = "V-63321" + Task = "Users must be prevented from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63325" + Task = "The Windows Installer Always install with elevated privileges must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63329" + Task = "Users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63333" + Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63335" + Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63339" + Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63341" + Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63347" + Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63369" + Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63375" + Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63519" + Task = "The Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63523" + Task = "The Security event log size must be configured to 1024000 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 1024000) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1024000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63527" + Task = "The System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63545" + Task = "Camera access from the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63549" + Task = "The display of slide shows on the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63555" + Task = "IPv6 source routing must be configured to highest protection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIpSourceRouting" ` + | Select-Object -ExpandProperty "DisableIpSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63559" + Task = "The system must be configured to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63563" + Task = "The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63567" + Task = "The system must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63569" + Task = "Insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63581" + Task = "Simultaneous connections to the Internet or a Windows domain must be limited." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($null -eq $regValue -or 0 -eq $regValue) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63585" + Task = "Connections to non-domain networks when connected to a domain authenticated network must be blocked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($null -eq $regValue -or 0 -eq $regValue) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63591" + Task = "Wi-Fi Sense must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63597" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63607" + Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if (($regValue -ne 1) -and ($regValue -ne 3) -and ($regValue -ne 8)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3 or x == 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63609" + Task = "Group Policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63615" + Task = "Downloading print driver packages over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63617" + Task = "Local accounts with blank passwords must be restricted to prevent access from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63621" + Task = "Web publishing and online ordering wizards must be prevented from downloading a list of providers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63623" + Task = "Printing over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63627" + Task = "Systems must at least attempt device authentication using certificates." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63629" + Task = "The network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63633" + Task = "Local users on domain-joined computers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63635" + Task = "Audit policy using subcategories must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63639" + Task = "Outgoing secure channel traffic must be encrypted or signed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63643" + Task = "Outgoing secure channel traffic must be encrypted when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63645" + Task = "Users must be prompted for a password on resume from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63647" + Task = "Outgoing secure channel traffic must be signed when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63649" + Task = "The user must be prompted for a password on resume from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63651" + Task = "Solicited Remote Assistance must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63653" + Task = "The computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63657" + Task = "Unauthenticated RPC clients must be restricted from connecting to the RPC server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63659" + Task = "The setting to allow Microsoft accounts to be optional for modern style apps must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63661" + Task = "The maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63663 A" + Task = "The Application Compatibility Program service must be disabled in order to prefent sending inventory data." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63663 B" + Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63665" + Task = "The system must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63667" + Task = "Autoplay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63669" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63671" + Task = "The default autorun behavior must be configured to prevent autorun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63673" + Task = "Autoplay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63677" + Task = "Enhanced anti-spoofing for facial recognition must be enabled on Window 10." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63679" + Task = "Administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63689" + Task = "Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63691" + Task = "Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63695" + Task = "File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63699" + Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63701" + Task = "Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63703" + Task = "The Windows SMB client must be configured to always perform SMB packet signing." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-63709" + Task = "The password manager function in the Edge browser must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63711" + Task = "Unencrypted passwords must not be sent to third-party SMB Servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63713" + Task = "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63717" + Task = "The use of a hardware security device with Windows Hello for Business must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" ` + -Name "RequireSecurityDevice" ` + | Select-Object -ExpandProperty "RequireSecurityDevice" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63719" + Task = "The Windows SMB server must be configured to always perform SMB packet signing." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-63721" + Task = "Windows 10 must be configured to require a minimum pin length of six characters or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity" ` + -Name "MinimumPINLength" ` + | Select-Object -ExpandProperty "MinimumPINLength" + + if (($regValue -lt 6)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63729" + Task = "Passwords must not be saved in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63731" + Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63733" + Task = "Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63737" + Task = "The Remote Desktop Session Host must require secure RPC communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63741" + Task = "Remote Desktop Services must be configured with the client connection encryption set to the required level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63743" + Task = "Attachments must be prevented from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63745" + Task = "Anonymous enumeration of SAM accounts must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63747" + Task = "Basic authentication for RSS feeds over HTTP must not be used." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63749" + Task = "Anonymous enumeration of shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63751" + Task = "Indexing of encrypted files must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63755" + Task = "The system must be configured to prevent anonymous users from having the same rights as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63759" + Task = "Anonymous access to Named Pipes and Shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63765" + Task = "NTLM must be prevented from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63767" + Task = "PKU2U authentication using online identities must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63795" + Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63797" + Task = "The system must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63801" + Task = "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63803" + Task = "The system must be configured to the required LDAP client signing level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63805" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based clients." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63807" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP based servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63811" + Task = "The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63815" + Task = "The default permissions of global system objects must be increased." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63817" + Task = "User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63821" + Task = "User Account Control must automatically deny elevation requests for standard users." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63825" + Task = "User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63827" + Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63829" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63831" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63839" + Task = "Toast notifications to the lock screen must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63841" + Task = "Zone information must be preserved when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-68817" + Task = "Command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-68819" + Task = "PowerShell script block logging must be enabled on Windows 10." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-68849" + Task = "Structured Exception Handling Overwrite Protection (SEHOP) must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-71763" + Task = "WDigest Authentication must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-71765" + Task = "Internet connection sharing must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-71769" + Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-71771" + Task = "Microsoft consumer experiences must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-74417" + Task = "Windows 10 must be configured to disable Windows Game Recording and Broadcasting." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-74699" + Task = "Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-74723" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-74725" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-82137" + Task = "The use of personal accounts for OneDrive synchronization must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive" ` + -Name "DisablePersonalSync" ` + | Select-Object -ExpandProperty "DisablePersonalSync" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-82139" + Task = "Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings" ` + -Name "PreventCertErrorOverrides" ` + | Select-Object -ExpandProperty "PreventCertErrorOverrides" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-82145" + Task = "If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitEnhancedDiagnosticDataWindowsAnalytics" ` + | Select-Object -ExpandProperty "LimitEnhancedDiagnosticDataWindowsAnalytics" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-94719" + Task = "Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-94859" + Task = "Windows 10 systems must use a BitLocker PIN for pre-boot authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-94861" + Task = "Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "MinimumPIN" ` + | Select-Object -ExpandProperty "MinimumPIN" + + if (($regValue -lt 6)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 6" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-99557" + Task = "Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-99563" + Task = "Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications. " + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#SecurityOptions.ps1 new file mode 100644 index 0000000..2d8a345 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "V-63601" + Task = "The built-in administrator account must be disabled." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableAdminAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableAdminAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63611" + Task = "The built-in guest account must be disabled." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63619" + Task = "The built-in administrator account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63625" + Task = "The built-in guest account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-63739" + Task = "Anonymous SID/Name translation must not be allowed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#UserRights.ps1 new file mode 100644 index 0000000..34ef58f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-DISA-V1R23#UserRights.ps1 @@ -0,0 +1,956 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "V-63843" + Task = "The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63845" + Task = "The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "Administrators" + "Remote Desktop Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63847" + Task = "The Act as part of the operating system user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63851" + Task = "The Allow log on locally user right must only be assigned to the Administrators and Users groups." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "Administrators" + "Users" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63853" + Task = "The Back up files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63857" + Task = "The Create a pagefile user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63859" + Task = "The Create a token object user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63861" + Task = "The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "Administrators" + "LOCAL SERVICE" + "NETWORK SERVICE" + "SERVICE" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63863" + Task = "The Create permanent shared objects user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63865" + Task = "The Create symbolic links user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63869" + Task = "The Debug programs user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63871" + Task = "The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63877" + Task = "The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63879" + Task = "The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "Enterprise Admins" + "Domain Admins" + "Local account" + "Guests" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63881" + Task = "The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63883" + Task = "The Force shutdown from a remote system user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63889" + Task = "The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "Administrators" + "LOCAL SERVICE" + "NETWORK SERVICE" + "SERVICE" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63917" + Task = "The Load and unload device drivers user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63925" + Task = "The Lock pages in memory user right must not be assigned to any groups or accounts." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63927" + Task = "The Manage auditing and security log user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63931" + Task = "The Modify firmware environment values user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63933" + Task = "The Perform volume maintenance tasks user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63935" + Task = "The Profile single process user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63939" + Task = "The Restore files and directories user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-63941" + Task = "The Take ownership of files or other objects user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "Administrators" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AccountPolicies.ps1 new file mode 100644 index 0000000..35fa9a8 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AccountPolicies.ps1 @@ -0,0 +1,196 @@ +[AuditTest] @{ + Id = "AccountPolicy-216" + Task = "Ensure 'MinimumPasswordLength' is set to '14'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 14) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-217" + Task = "Ensure 'PasswordComplexity' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-218" + Task = "Ensure 'PasswordHistorySize' is set to '24'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-219" + Task = "Ensure 'LockoutBadCount' is set to '10'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-220" + Task = "Ensure 'ResetLockoutCount' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-221" + Task = "Ensure 'LockoutDuration' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-222" + Task = "Ensure 'ClearTextPassword' is set to '0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AuditPolicies.ps1 new file mode 100644 index 0000000..b4a4804 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#AuditPolicies.ps1 @@ -0,0 +1,1388 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "AuditPolicy-193" + Task = "Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-194" + Task = "Ensure 'Security Group Management' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-195" + Task = "Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-196" + Task = "Ensure 'Plug and Play Events' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-197" + Task = "Ensure 'Process Creation' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-198" + Task = "Ensure 'Account Lockout' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-199" + Task = "Ensure 'Group Membership' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-200" + Task = "Ensure 'Logon' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-201" + Task = "Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-202" + Task = "Ensure 'Special Logon' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-203" + Task = "Ensure 'Detailed File Share' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-204" + Task = "Ensure 'File Share' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-205" + Task = "Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-206" + Task = "Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-207" + Task = "Ensure 'Audit Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-208" + Task = "Ensure 'Authentication Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-209" + Task = "Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory MPSSVC Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "MPSSVC Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'MPSSVC Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-210" + Task = "Ensure 'Other Policy Change Events' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-211" + Task = "Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-212" + Task = "Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-213" + Task = "Ensure 'Security State Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-214" + Task = "Ensure 'Security System Extension' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-215" + Task = "Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#RegistrySettings.ps1 new file mode 100644 index 0000000..1a84a2e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#RegistrySettings.ps1 @@ -0,0 +1,10968 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +$hyperVStatus = CheckHyperVStatus +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "Registry-001" + Task = "Set registry value 'PUAProtection' to 1." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-002" + Task = "Set registry value 'MpCloudBlockLevel' to 2." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "MpCloudBlockLevel" ` + | Select-Object -ExpandProperty "MpCloudBlockLevel" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-003" + Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-004" + Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-005" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-006" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-007" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-008" + Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "DisableBlockAtFirstSeen" ` + | Select-Object -ExpandProperty "DisableBlockAtFirstSeen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-009" + Task = "Set registry value 'ExploitGuard_ASR_Rules' to 1." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-010" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-011" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-012" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-013" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-014" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-015" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-016" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-017" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-018" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-019" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-020" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-021" + Task = "Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-022" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-023" + Task = "Set registry value 'EnableNetworkProtection' to 1." + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-024" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-025" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -eq 3) { + return @{ + Message = "Set to 'Secure Boot and DMA Protection' which is more secure." + Status = "True" + } + } + + if ($regValue -ne 1 -and $regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or (better) 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-026" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-027" + Task = "Set registry value 'HVCIMATRequired' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-028" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-029" + Task = "Set registry value 'ConfigureSystemGuardLaunch' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-031" + Task = "Set registry value 'UseEnhancedPin' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-032" + Task = "Set registry value 'RDVDenyCrossOrg' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-033" + Task = "Set registry value 'DisableExternalDMAUnderLock' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-034" + Task = "Set registry value 'DCSettingIndex' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-035" + Task = "Set registry value 'ACSettingIndex' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-036" + Task = "Set registry value 'DenyDeviceClasses' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-037" + Task = "Set registry value 'DenyDeviceClassesRetroactive' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-038" + Task = "Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-039" + Task = "Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-040" + Task = "Set registry value 'AutoConnectAllowedOEM' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-041" + Task = "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-042" + Task = "Ensure 'Turn off Autoplay' is set to 'All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-043" + Task = "Set registry value 'NoWebServices' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-044" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-045" + Task = "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-046" + Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-047" + Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-048" + Task = "Set registry value 'AllowEncryptionOracle' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-049" + Task = "Set registry value 'EnhancedAntiSpoofing' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-050" + Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-051" + Task = "Set registry value 'PreventCertErrorOverrides' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings" ` + -Name "PreventCertErrorOverrides" ` + | Select-Object -ExpandProperty "PreventCertErrorOverrides" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-052" + Task = "Set registry value 'FormSuggest Passwords' to no." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-053" + Task = "Set registry value 'EnabledV9' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-054" + Task = "Set registry value 'PreventOverride' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-055" + Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-056" + Task = "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-057" + Task = "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-058" + Task = "Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-059" + Task = "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-060" + Task = "Set registry value 'AllowProtectedCreds' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-061" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'. [Application\MaxSize]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-062" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-063" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'. [System\MaxSize]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-064" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-065" + Task = "Set registry value 'AllowGameDVR' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-066" + Task = "Ensure 'Configure registry policy processing' is set to '0'. [NoGPOListChanges]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-067" + Task = "Ensure 'Configure registry policy processing' is set to '0'. [NoBackgroundPolicy]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-068" + Task = "Set registry value 'AlwaysInstallElevated' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-069" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-070" + Task = "Set registry value 'DeviceEnumerationPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-071" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-072" + Task = "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-073" + Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-074" + Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-075" + Task = "Set registry value 'NoLockScreenCamera' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-076" + Task = "Set registry value 'NoLockScreenSlideshow' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-077" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-078" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockInvocationLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-079" + Task = "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-080" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-081" + Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-082" + Task = "Set registry value 'ShellSmartScreenLevel' to Block." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-083" + Task = "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-084" + Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-085" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-086" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-087" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-088" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-089" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-090" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-091" + Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-092" + Task = "Set registry value 'DisableWebPnPDownload' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-093" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-094" + Task = "Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fUseMailto" ` + | Select-Object -ExpandProperty "fUseMailto" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-095" + Task = "Configure Solicited Remote Assistance to disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-096" + Task = "Configure Solicited Remote Assistance - Allow helpers to only view the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowFullControl" ` + | Select-Object -ExpandProperty "fAllowFullControl" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-097" + Task = "Set registry value 'MaxTicketExpiry' to ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxTicketExpiry" ` + | Select-Object -ExpandProperty "MaxTicketExpiry" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-098" + Task = "Set registry value 'MaxTicketExpiryUnits' to ." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxTicketExpiryUnits" ` + | Select-Object -ExpandProperty "MaxTicketExpiryUnits" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-099" + Task = "Set registry value 'MinEncryptionLevel' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-100" + Task = "Set registry value 'fPromptForPassword' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-101" + Task = "Set registry value 'fDisableCdm' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-102" + Task = "Set registry value 'DisablePasswordSaving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-103" + Task = "Set registry value 'fEncryptRPCTraffic' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-105" + Task = "Domain: Set registry value 'DefaultOutboundAction' to 0." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-106" + Task = "Domain: Set registry value 'DisableNotifications' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-107" + Task = "Domain: Set registry value 'EnableFirewall' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-108" + Task = "Domain: Set registry value 'DefaultInboundAction' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-109" + Task = "Domain: Set registry value 'LogDroppedPackets' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-110" + Task = "Domain: Set registry value 'LogFileSize' to 16384." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-111" + Task = "Domain: Set registry value 'LogSuccessfulConnections' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-112" + Task = "Private: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-113" + Task = "Private: Set registry value 'DisableNotifications' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-114" + Task = "Private: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-115" + Task = "Private: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-116" + Task = "Private: Set registry value 'LogSuccessfulConnections' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-117" + Task = "Private: Set registry value 'LogDroppedPackets' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-118" + Task = "Private: Set registry value 'LogFileSize' to 16384." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-119" + Task = "Public: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-120" + Task = "Public: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-121" + Task = "Public: Set registry value 'DisableNotifications' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-122" + Task = "Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-123" + Task = "Public: Set registry value 'AllowLocalPolicyMerge' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-124" + Task = "Public: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-125" + Task = "Public: Set registry value 'LogFileSize' to 16384." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-126" + Task = "Public: Set registry value 'LogDroppedPackets' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-127" + Task = "Public: Set registry value 'LogSuccessfulConnections' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-128" + Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-129" + Task = "Set registry value 'AdmPwdEnabled' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-130" + Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-131" + Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-132" + Task = "Set registry value 'DriverLoadPolicy' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-133" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-134" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-135" + Task = "Set registry value 'NoNameReleaseOnDemand' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-136" + Task = "Set registry value 'NodeType' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-137" + Task = "Set registry value 'EnableICMPRedirect' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-138" + Task = "Set registry value 'DisableIPSourceRouting' to 2. [Tcpip\Parameters\DisableIPSourceRouting]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-139" + Task = "Set registry value 'DisableIPSourceRouting' to 2. [Tcpip6\Parameters\DisableIPSourceRouting]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-140" + Task = "Set registry value 'ScRemoveOption' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-141" + Task = "Set registry value 'InactivityTimeoutSecs' to 900." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-142" + Task = "Set registry value 'NoLMHash' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-143" + Task = "Set registry value 'EnablePlainTextPassword' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-144" + Task = "Set registry value 'LimitBlankPasswordUse' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-145" + Task = "Set registry value 'RestrictAnonymousSAM' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-146" + Task = "Set registry value 'RestrictAnonymous' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-147" + Task = "Set registry value 'RestrictNullSessAccess' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-148" + Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-149" + Task = "Set registry value 'NTLMMinClientSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-150" + Task = "Set registry value 'LmCompatibilityLevel' to 5." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-151" + Task = "Set registry value 'allownullsessionfallback' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-152" + Task = "Set registry value 'NTLMMinServerSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-153" + Task = "Set registry value 'requirestrongkey' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requirestrongkey" ` + | Select-Object -ExpandProperty "requirestrongkey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-154" + Task = "Set registry value 'RequireSecuritySignature' to 1." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-155" + Task = "Set registry value 'sealsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "sealsecurechannel" ` + | Select-Object -ExpandProperty "sealsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-156" + Task = "Set registry value 'requiresignorseal' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requiresignorseal" ` + | Select-Object -ExpandProperty "requiresignorseal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-157" + Task = "Set registry value 'signsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "signsecurechannel" ` + | Select-Object -ExpandProperty "signsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-158" + Task = "Set registry value 'requiresecuritysignature' to 1." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-159" + Task = "Set registry value 'ProtectionMode' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-160" + Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-161" + Task = "Set registry value 'EnableSecureUIAPaths' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-162" + Task = "Set registry value 'EnableLUA' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-163" + Task = "Set registry value 'ConsentPromptBehaviorUser' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-164" + Task = "Set registry value 'EnableInstallerDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-165" + Task = "Set registry value 'FilterAdministratorToken' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-166" + Task = "Set registry value 'EnableVirtualization' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-167" + Task = "Set registry value 'LDAPClientIntegrity' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-168" + Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-223" + Task = "Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-224" + Task = "Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-225" + Task = "Set registry value 'FormSuggest Passwords' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-226" + Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-227" + Task = "Set registry value 'FormSuggest Passwords' to no." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-228" + Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-229" + Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-230" + Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-231" + Task = "Set registry value 'CheckExeSignatures' to yes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-232" + Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-233" + Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-234" + Task = "Set registry value 'Isolation' to PMEM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-235" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_DISABLE_MK_PROTOCOL\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-236" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-237" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_DISABLE_MK_PROTOCOL\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-238" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_MIME_HANDLING\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-239" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_MIME_HANDLING\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-240" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_MIME_HANDLING\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-241" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_MIME_SNIFFING\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-242" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_MIME_SNIFFING\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-243" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_MIME_SNIFFING\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-244" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-245" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-246" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-247" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-248" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-249" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-250" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_SECURITYBAND\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-251" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_SECURITYBAND\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-252" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_SECURITYBAND\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-253" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_WINDOW_RESTRICTIONS\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-254" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_WINDOW_RESTRICTIONS\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-255" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_WINDOW_RESTRICTIONS\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-256" + Task = "Set registry value '(Reserved)' to 1. [FEATURE_ZONE_ELEVATION\(Reserved)]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-257" + Task = "Set registry value 'explorer.exe' to 1. [FEATURE_ZONE_ELEVATION\explorer.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-258" + Task = "Set registry value 'iexplore.exe' to 1. [FEATURE_ZONE_ELEVATION\iexplore.exe]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-259" + Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-260" + Task = "Set registry value 'PreventOverride' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-261" + Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-262" + Task = "Set registry value 'NoCrashDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-263" + Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-264" + Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-265" + Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-266" + Task = "Set registry value 'Security_zones_map_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-267" + Task = "Set registry value 'Security_options_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-268" + Task = "Set registry value 'Security_HKLM_only' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-269" + Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-270" + Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-271" + Task = "Set registry value 'WarnOnBadCertRecving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-272" + Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-273" + Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-274" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-275" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-276" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-277" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-278" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-279" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-280" + Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-281" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-282" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-283" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-284" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-285" + Task = "Ensure 'Java permissions' is set to 'High safety'. [Zones\1\1C00]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-286" + Task = "Ensure 'Java permissions' is set to 'High safety'. [Zones\2\1C00]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-287" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-288" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-289" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-290" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-291" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-292" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-293" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-294" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-295" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-296" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-297" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-298" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-299" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-300" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-301" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-302" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-303" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-304" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-305" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-306" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-307" + Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-308" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-309" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-310" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-311" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-312" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-313" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-314" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-315" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-316" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-317" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-318" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-319" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-320" + Task = "Set registry value '140C' to 3. (Zones\3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-321" + Task = "Ensure 'Allow META REFRESH' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-322" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-323" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-324" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-325" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-326" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-327" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-328" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-329" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-330" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-331" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-332" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-333" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-334" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-335" + Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-336" + Task = "Ensure 'Scripting of Java applets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-337" + Task = "Ensure 'Allow file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-338" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-339" + Task = "Ensure 'Allow active scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-340" + Task = "Ensure 'Logon options' is set to 'Anonymous logon'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-341" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-342" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-343" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-344" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-345" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-346" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-347" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-348" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-349" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-350" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-351" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-352" + Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-353" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-354" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-355" + Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-356" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-357" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-358" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-359" + Task = "Set registry value '140C' to 3. (Zones\4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#SecurityOptions.ps1 new file mode 100644 index 0000000..d8ce1e4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#SecurityOptions.ps1 @@ -0,0 +1,26 @@ +[AuditTest] @{ + Id = "SecurityOption-169" + Task = "Ensure 'LSAAnonymousNameLookup' is set to '0'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#UserRights.ps1 new file mode 100644 index 0000000..371406d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Microsoft-21H1#UserRights.ps1 @@ -0,0 +1,882 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "UserRight-170" + Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-171" + Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-172" + Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-173" + Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-174" + Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-175" + Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-176" + Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-177" + Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-178" + Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-179" + Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if ($missingUsers.Count -gt 0) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-180" + Task = "Ensure 'Access this computer from the network' is set to 'Administrator, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-181" + Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-182" + Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-183" + Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-184" + Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-185" + Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-186" + Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-187" + Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-188" + Task = "Ensure 'Debug programs' is set to 'Administrators'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-189" + Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-190" + Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-191" + Task = "Ensure 'SeTcbPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-192" + Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..7fa9cee --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 @@ -0,0 +1,255 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 5 -or $setPolicy -le 0) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..01bc89f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 @@ -0,0 +1,1616 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..2f0430c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 @@ -0,0 +1,16305 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -lt 5 -or $regValue -gt 14)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 5 and x <= 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.39" + Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.40" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.41" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.42" + Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.43" + Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.44" + Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.45" + Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'LSA Protection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetbios" ` + | Select-Object -ExpandProperty "EnableNetbios" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if (($regValue -ne 255)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.23.2.1" + Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "PCI\CC_0C0A") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0A" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.4" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 A" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the SBP2 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 B" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the IEC-61883 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 C" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the AVC Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "{c06ff265-ae09-48f0-812c-16753d7cba83}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {c06ff265-ae09-48f0-812c-16753d7cba83}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 D" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 Host Bus Controller Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "{6bdd1fc1-810f-11d0-bec7-08002be2092f}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {6bdd1fc1-810f-11d0-bec7-08002be2092f}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.6" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "ConfigureLsaProtectedProcess" ` + | Select-Object -ExpandProperty "ConfigureLsaProtectedProcess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.3" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.4" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.1" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.2" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.3" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.4" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.5" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.6" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.48.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.2" + Task = "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx" ` + -Name "BlockNonAdminUserInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminUserInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.1" + Task = "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.2" + Task = "(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHardwareEncryption" ` + | Select-Object -ExpandProperty "FDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.11" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.12" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.13" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.2" + Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.10" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHardwareEncryption" ` + | Select-Object -ExpandProperty "OSHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.12" + Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.13" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.14" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.15" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPM" ` + | Select-Object -ExpandProperty "UseTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.16" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMPIN" ` + | Select-Object -ExpandProperty "UseTPMPIN" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.17" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKey" ` + | Select-Object -ExpandProperty "UseTPMKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.18" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKeyPIN" ` + | Select-Object -ExpandProperty "UseTPMKeyPIN" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: ''" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHardwareEncryption" ` + | Select-Object -ExpandProperty "RDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.11" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.12" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.13" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.14" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.15" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.4" + Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.3" + Task = "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.1" + Task = "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if (($regValue -eq 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x != 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.4" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.33.1" + Task = "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup" ` + -Name "DisableHomeGroup" ` + | Select-Object -ExpandProperty "DisableHomeGroup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.35.1" + Task = "(L1) 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" ` + -Name "NotifyDisableIEOptions" ` + | Select-Object -ExpandProperty "NotifyDisableIEOptions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.7.1" + Task = "(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.1" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.2" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.1" + Task = "(NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AuditApplicationGuard" ` + | Select-Object -ExpandProperty "AuditApplicationGuard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.2" + Task = "(NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowCameraMicrophoneRedirection" ` + | Select-Object -ExpandProperty "AllowCameraMicrophoneRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.3" + Task = "(NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowPersistence" ` + | Select-Object -ExpandProperty "AllowPersistence" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.4" + Task = "(NG) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "SaveFilesToHost" ` + | Select-Object -ExpandProperty "SaveFilesToHost" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.5" + Task = "(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AppHVSIClipboardSettings" ` + | Select-Object -ExpandProperty "AppHVSIClipboardSettings" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.6" + Task = "(NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" ` + -Name "EnableFeeds" ` + | Select-Object -ExpandProperty "EnableFeeds" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.3" + Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.4" + Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortanaAboveLock" ` + | Select-Object -ExpandProperty "AllowCortanaAboveLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.5" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.6" + Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.7" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.63.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.1" + Task = "(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.2" + Task = "(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RequirePrivateStoreOnly" ` + | Select-Object -ExpandProperty "RequirePrivateStoreOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.3" + Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.4" + Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.5" + Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.72.1" + Task = "(L1) Ensure 'Allow widgets' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" ` + -Name "AllowNewsAndInterests" ` + | Select-Object -ExpandProperty "AllowNewsAndInterests" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.3.1" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.3.2" + Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' (PreventOverride)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.78.1" + Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.1" + Task = "(L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.1" + Task = "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowClipboardRedirection" ` + | Select-Object -ExpandProperty "AllowClipboardRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2" + Task = "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowNetworking" ` + | Select-Object -ExpandProperty "AllowNetworking" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.3" + Task = "(L1) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.1" + Task = "(L1) Ensure 'Enable screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.2" + Task = "(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.4.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.4.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.7.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.7.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.7.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.7.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.7.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.25.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.40.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..55176b4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights.ps1 new file mode 100644 index 0000000..d425e62 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights.ps1 @@ -0,0 +1,1312 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..212808c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AccountPolicies.ps1 @@ -0,0 +1,284 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if ($setPolicy -eq -1) { + #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..25e8dd5 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#AuditPolicies.ps1 @@ -0,0 +1,1616 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..6e82451 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#RegistrySettings.ps1 @@ -0,0 +1,18823 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client encryption requirements' is set to 1 - 'Negotiate sealing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "ldapclientconfidentiality" ` + | Select-Object -ExpandProperty "ldapclientconfidentiality" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.13" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 1 - 'Audit all' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 1 - 'User is prompted when the key is first used' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L2) Ensure 'GameInput Service (GameInputSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GameInputSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L2) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.39" + Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.40" + Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.41" + Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.42" + Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMDNS" ` + | Select-Object -ExpandProperty "EnableMDNS" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' or 0 - 'Enabled: Disable NetBIOS name resolution'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.3" + Task = "(L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "DisableIPv6DefaultDnsServers" ` + | Select-Object -ExpandProperty "DisableIPv6DefaultDnsServers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.4" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.1" + Task = "(L1) Ensure 'Audit client does not support encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditClientDoesNotSupportEncryption" ` + | Select-Object -ExpandProperty "AuditClientDoesNotSupportEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.2" + Task = "(L1) Ensure 'Audit client does not support signing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditClientDoesNotSupportSigning" ` + | Select-Object -ExpandProperty "AuditClientDoesNotSupportSigning" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.3" + Task = "(L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditInsecureGuestLogon" ` + | Select-Object -ExpandProperty "AuditInsecureGuestLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.4" + Task = "(L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "EnableAuthRateLimiter" ` + | Select-Object -ExpandProperty "EnableAuthRateLimiter" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.5" + Task = "(L1) Ensure 'Enable remote mailslots' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Bowser" ` + -Name "EnableMailslots" ` + | Select-Object -ExpandProperty "EnableMailslots" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.6" + Task = "(L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "MinSmb2Dialect" ` + | Select-Object -ExpandProperty "MinSmb2Dialect" + + if (($regValue -ne 785)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 785" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.7" + Task = "(L1) Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "InvalidAuthenticationDelayTimeInMs" ` + | Select-Object -ExpandProperty "InvalidAuthenticationDelayTimeInMs" + + if (($regValue -lt 2000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 2000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditInsecureGuestLogon" ` + | Select-Object -ExpandProperty "AuditInsecureGuestLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.2" + Task = "(L1) Ensure 'Audit server does not support encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditServerDoesNotSupportEncryption" ` + | Select-Object -ExpandProperty "AuditServerDoesNotSupportEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.3" + Task = "(L1) Ensure 'Audit server does not support signing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditServerDoesNotSupportSigning" ` + | Select-Object -ExpandProperty "AuditServerDoesNotSupportSigning" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.4" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.5" + Task = "(L1) Ensure 'Enable remote mailslots' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider" ` + -Name "EnableMailslots" ` + | Select-Object -ExpandProperty "EnableMailslots" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.6" + Task = "(L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "MinSmb2Dialect" ` + | Select-Object -ExpandProperty "MinSmb2Dialect" + + if (($regValue -ne 785)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 785" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.7" + Task = "(L1) Ensure 'Require Encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "RequireEncryption" ` + | Select-Object -ExpandProperty "RequireEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.23.2.1" + Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L2) Ensure 'Configure Windows protected print' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\WPP" ` + -Name "WindowsProtectedPrintGroupPolicyState" ` + | Select-Object -ExpandProperty "WindowsProtectedPrintGroupPolicyState" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.12" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.13" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.2" + Task = "(L2) Ensure 'Remove Personalized Website Recommendations from the Recommended section in the Start Menu' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "HideRecommendedPersonalizedSites" ` + | Select-Object -ExpandProperty "HideRecommendedPersonalizedSites" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(L1) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureKernelShadowStacksLaunch" ` + | Select-Object -ExpandProperty "ConfigureKernelShadowStacksLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2 A" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the SBP2 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2 B" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the IEC-61883 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2 C" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the AVC Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "{c06ff265-ae09-48f0-812c-16753d7cba83}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {c06ff265-ae09-48f0-812c-16753d7cba83}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2 D" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 Host Bus Controller Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "{6bdd1fc1-810f-11d0-bec7-08002be2092f}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {6bdd1fc1-810f-11d0-bec7-08002be2092f}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configure password backup directory' is set to 2 - 'Enabled: Active Directory' or 1 - 'Enabled: Azure Active Directory'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "BackupDirectory" ` + | Select-Object -ExpandProperty "BackupDirectory" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.3" + Task = "(L1) Ensure 'Enable password encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "ADPasswordEncryptionEnabled" ` + | Select-Object -ExpandProperty "ADPasswordEncryptionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if (($regValue -lt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30 -or $regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.7" + Task = "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationResetDelay" ` + | Select-Object -ExpandProperty "PostAuthenticationResetDelay" + + if (($regValue -gt 8 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 8 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.8" + Task = "(L1) Ensure 'Post-authentication actions: Actions' is set to 3 - 'Enabled: Reset the password and logoff the managed account' or 5 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationActions" ` + | Select-Object -ExpandProperty "PostAuthenticationActions" + + if (($regValue -ne 3) -and ($regValue -ne 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3 or 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2" + Task = "(L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.1.1" + Task = "(L1) Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters" ` + -Name "BlockNetbiosDiscovery" ` + | Select-Object -ExpandProperty "BlockNetbiosDiscovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.5" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.6" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.1" + Task = "(L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM" ` + -Name "SamrChangeUserPasswordApiPolicy" ` + | Select-Object -ExpandProperty "SamrChangeUserPasswordApiPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.52" + Task = "(L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sudo" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Turn off API Sampling' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableAPISamping" ` + | Select-Object -ExpandProperty "DisableAPISamping" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.2" + Task = "(L2) Ensure 'Turn off Application Footprint' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableApplicationFootprint" ` + | Select-Object -ExpandProperty "DisableApplicationFootprint" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.3" + Task = "(L2) Ensure 'Turn off Install Tracing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInstallTracing" ` + | Select-Object -ExpandProperty "DisableInstallTracing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.2" + Task = "(L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx" ` + -Name "DisablePerUserUnsignedPackagesByDefault" ` + | Select-Object -ExpandProperty "DisablePerUserUnsignedPackagesByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.3" + Task = "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx" ` + -Name "BlockNonAdminUserInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminUserInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.6.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.6.2" + Task = "(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 2 - 'Enabled: Allow 48-digit recovery password' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if (($regValue -ne 2) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 2 - 'Enabled: Allow 256-bit recovery key' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if (($regValue -ne 2) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHardwareEncryption" ` + | Select-Object -ExpandProperty "FDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.11" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.12" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1.13" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.2" + Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.10" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHardwareEncryption" ` + | Select-Object -ExpandProperty "OSHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.12" + Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.13" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.2.14" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHardwareEncryption" ` + | Select-Object -ExpandProperty "RDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.11" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.12" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.13" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.14" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.3.15" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.4" + Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.11.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Download Mode' is NOT set to 3 - 'Enabled: Internet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if ($regValue -notmatch "^(0|1|2|99|100)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(0|1|2|99|100)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.1" + Task = "(L2) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.4" + Task = "(L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableLocalArchiveMalwareScanOverride" ` + | Select-Object -ExpandProperty "EnableLocalArchiveMalwareScanOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.5" + Task = "(L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableBypassCertificatePinningForMicrosoftStore" ` + | Select-Object -ExpandProperty "EnableBypassCertificatePinningForMicrosoftStore" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.6" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.7" + Task = "(L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableWindowsPackageManagerCommandLineInterfaces" ` + | Select-Object -ExpandProperty "EnableWindowsPackageManagerCommandLineInterfaces" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.2" + Task = "(L2) Ensure 'Turn off account-based insights, recent, favorite, and recommended files in File Explorer' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "DisableGraphRecentItems" ` + | Select-Object -ExpandProperty "DisableGraphRecentItems" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.3" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.4" + Task = "(L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "DisableMotWOnInsecurePathCopy" ` + | Select-Object -ExpandProperty "DisableMotWOnInsecurePathCopy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.5" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.6" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.4.1" + Task = "(L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" ` + -Name "PassiveRemediation" ` + | Select-Object -ExpandProperty "PassiveRemediation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" ` + -Name "26190899-1602-49e8-8b27-eb1d0a1ce869" ` + | Select-Object -ExpandProperty "26190899-1602-49e8-8b27-eb1d0a1ce869" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.8.1" + Task = "(L2) Ensure 'Convert warn verdict to block' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS" ` + -Name "EnableConvertWarnToBlock" ` + | Select-Object -ExpandProperty "EnableConvertWarnToBlock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.1" + Task = "(L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "OobeEnableRtpAndSigUpdate" ` + | Select-Object -ExpandProperty "OobeEnableRtpAndSigUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.2" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.3" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.4" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.5" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.1.1" + Task = "(L2) Ensure 'Configure Brute-Force Protection aggressiveness' is set to 1 - 'Enabled: Medium' or 2 - higher" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection" ` + -Name "BruteForceProtectionAggressiveness" ` + | Select-Object -ExpandProperty "BruteForceProtectionAggressiveness" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.1.2" + Task = "(L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 2 - 'Enabled: Audit' or 1 - higher" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection" ` + -Name "BruteForceProtectionConfiguredState" ` + | Select-Object -ExpandProperty "BruteForceProtectionConfiguredState" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.2.1" + Task = "(L2) Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 1 - 'Enabled: Medium' or 2 - higher" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Remote Encryption Protection" ` + -Name "RemoteEncryptionProtectionAggressiveness" ` + | Select-Object -ExpandProperty "RemoteEncryptionProtectionAggressiveness" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.1" + Task = "(L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "QuickScanIncludeExclusions" ` + | Select-Object -ExpandProperty "QuickScanIncludeExclusions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.2" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.3" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.4" + Task = "(L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DaysUntilAggressiveCatchupQuickScan" ` + | Select-Object -ExpandProperty "DaysUntilAggressiveCatchupQuickScan" + + if (($regValue -ne 7)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.5" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.17" + Task = "(L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "HideExclusionsFromLocalUsers" ` + | Select-Object -ExpandProperty "HideExclusionsFromLocalUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.1" + Task = "(L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AuditApplicationGuard" ` + | Select-Object -ExpandProperty "AuditApplicationGuard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.2" + Task = "(L1) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowCameraMicrophoneRedirection" ` + | Select-Object -ExpandProperty "AllowCameraMicrophoneRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.3" + Task = "(L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowPersistence" ` + | Select-Object -ExpandProperty "AllowPersistence" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.4" + Task = "(L1) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "SaveFilesToHost" ` + | Select-Object -ExpandProperty "SaveFilesToHost" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.5" + Task = "(L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AppHVSIClipboardSettings" ` + | Select-Object -ExpandProperty "AppHVSIClipboardSettings" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1. " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found. " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found. " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.6" + Task = "(L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found. " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found. " + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" ` + -Name "EnableFeeds" ` + | Select-Object -ExpandProperty "EnableFeeds" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.2" + Task = "(L2) Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" ` + -Name "DisableCloudClipboardIntegration" ` + | Select-Object -ExpandProperty "DisableCloudClipboardIntegration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.3" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.8" + Task = "(L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SCClipLevel" ` + | Select-Object -ExpandProperty "SCClipLevel" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.3" + Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.4" + Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortanaAboveLock" ` + | Select-Object -ExpandProperty "AllowCortanaAboveLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.5" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.6" + Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.7" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.63.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.1" + Task = "(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.2" + Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.3" + Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.4" + Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.72.1" + Task = "(L1) Ensure 'Allow widgets' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" ` + -Name "AllowNewsAndInterests" ` + | Select-Object -ExpandProperty "AllowNewsAndInterests" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.1" + Task = "(L1) Ensure 'Automatic Data Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "CaptureThreatWindow" ` + | Select-Object -ExpandProperty "CaptureThreatWindow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.2" + Task = "(L1) Ensure 'Notify Malicious' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyMalicious" ` + | Select-Object -ExpandProperty "NotifyMalicious" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.3" + Task = "(L1) Ensure 'Notify Password Reuse' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyPasswordReuse" ` + | Select-Object -ExpandProperty "NotifyPasswordReuse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.4" + Task = "(L1) Ensure 'Notify Unsafe App' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyUnsafeApp" ` + | Select-Object -ExpandProperty "NotifyUnsafeApp" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.5" + Task = "(L1) Ensure 'Service Enabled' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "ServiceEnabled" ` + | Select-Object -ExpandProperty "ServiceEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.78.1" + Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics" ` + -Name "EnableESSwithSupportedPeripherals" ` + | Select-Object -ExpandProperty "EnableESSwithSupportedPeripherals" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.1" + Task = "(L1) Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.1" + Task = "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowClipboardRedirection" ` + | Select-Object -ExpandProperty "AllowClipboardRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2" + Task = "(L2) Ensure 'Allow mapping folders into Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowWriteToMappedFolders" ` + | Select-Object -ExpandProperty "AllowWriteToMappedFolders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.3" + Task = "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowNetworking" ` + | Select-Object -ExpandProperty "AllowNetworking" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.3" + Task = "(L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "AllowTemporaryEnterpriseFeatureControl" ` + | Select-Object -ExpandProperty "AllowTemporaryEnterpriseFeatureControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.4" + Task = "(L1) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.4" + Task = "(L1) Ensure 'Enable optional updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "AllowOptionalContent" ` + | Select-Object -ExpandProperty "AllowOptionalContent" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.40.1" + Task = "(L1) Ensure 'Turn off Windows Copilot' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" ` + -Name "TurnOffWindowsCopilot" ` + | Select-Object -ExpandProperty "TurnOffWindowsCopilot" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.46.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..a513d52 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected any other name than 'Administrator'" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected any other name than 'Guest' or 'Gast'" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#UserRights.ps1 new file mode 100644 index 0000000..2ef5593 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-CIS-4.0.0#UserRights.ps1 @@ -0,0 +1,1509 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE") { + if ($name -eq "Enterprise Admins") { + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins") { + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } + else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($hyperVStatus -ne "Enabled") { + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else { + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if ($null -eq $currentUserRights -and $identityAccounts.Count -gt 0) { + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if ($currentUserRights.Count -lt $identityAccounts.Count) { + $users = "" + foreach ($currentUser in $currentUserRights) { + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-113" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($hyperVStatus -ne "Enabled") { + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else { + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if ($missingUsers.Count -gt 0) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AccountPolicies.ps1 new file mode 100644 index 0000000..da0ac0e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AccountPolicies.ps1 @@ -0,0 +1,196 @@ +[AuditTest] @{ + Id = "AccountPolicy-361" + Task = "Ensure 'MinimumPasswordLength' is set to '14' character(s)." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 14) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-362" + Task = "The built-in Windows password complexity policy must be enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-363" + Task = "The password history must be configured to 24 passwords remembered" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-364" + Task = "Ensure 'LockoutBadCount' is set to '10' invalid logon attempt(s)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 10) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-365" + Task = "Ensure 'Reset account lockout counter after' is set to '10 minutes'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 10) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 10 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-366" + Task = "Ensure 'LockoutDuration' is set to '10 minutes'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 10) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 10 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-367" + Task = "Reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AuditPolicies.ps1 new file mode 100644 index 0000000..76a02f4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#AuditPolicies.ps1 @@ -0,0 +1,1388 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "AuditPolicy-166" + Task = "Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-167" + Task = "Ensure 'Security Group Management' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-168" + Task = "Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-169" + Task = "Ensure 'Plug and Play Events' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-170" + Task = "Ensure 'Process Creation' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-171" + Task = "Ensure 'Account Lockout' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-172" + Task = "Ensure 'Group Membership' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-173" + Task = "Ensure 'Logon' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-174" + Task = "Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-175" + Task = "Ensure 'Special Logon' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-176" + Task = "Ensure 'Detailed File Share' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-177" + Task = "Ensure 'File Share' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-178" + Task = "Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-179" + Task = "Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-180" + Task = "Ensure 'Audit Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-181" + Task = "Ensure 'Authentication Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-182" + Task = "Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory MPSSVC Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "MPSSVC Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'MPSSVC Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-183" + Task = "Ensure 'Other Policy Change Events' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-184" + Task = "Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-185" + Task = "Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-186" + Task = "Ensure 'Security State Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-187" + Task = "Ensure 'Security System Extension' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-188" + Task = "Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#RegistrySettings.ps1 new file mode 100644 index 0000000..0ab0432 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#RegistrySettings.ps1 @@ -0,0 +1,12011 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "Registry-001" + Task = "Turn off Connect to suggested open hotspots and Connect to networks shared by my contacts" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-002" + Task = "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-003" + Task = "Ensure 'Turn off Autoplay' is set to 'All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-004" + Task = "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-005" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-006" + Task = "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-007" + Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-008" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-009" + Task = "Ensure 'Enable MPR notifications for the system' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-010" + Task = "Ensure 'Encryption Oracle Remediation' is set to 'Force Updated Clients'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-011" + Task = "Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-012" + Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-013" + Task = "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-014" + Task = "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-015" + Task = "Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Force Deny'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-016" + Task = "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-017" + Task = "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-018" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768' (Application)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-019" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608' (Security)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-020" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768' (System)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-021" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-022" + Task = "Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-023" + Task = "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-024" + Task = "Ensure 'Configure registry policy processing' is set to '0'. (NoBackgroundPolicy)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-025" + Task = "Ensure 'Always install with elevated privileges' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-026" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-027" + Task = "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Block all'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-028" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-029" + Task = "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-030" + Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ( -not($regValue -match "RequireMutualAuthentication=1" -and $regValue -match "RequireIntegrity=1")) { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-031" + Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ( -not($regValue -match "RequireMutualAuthentication=1" -and $regValue -match "RequireIntegrity=1")) { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-032" + Task = "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-033" + Task = "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-034" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-035" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockInvocationLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-036" + Task = "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-037" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-038" + Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-039" + Task = "Ensure 'Configure Windows Defender SmartScreen' is set to 'Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-040" + Task = "Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-041" + Task = "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-042" + Task = "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-043" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-044" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-045" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'. (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-046" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-047" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-048" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-049" + Task = "Ensure 'Notify Malicious' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyMalicious" ` + | Select-Object -ExpandProperty "NotifyMalicious" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-050" + Task = "Ensure 'Notify Password Reuse' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyPasswordReuse" ` + | Select-Object -ExpandProperty "NotifyPasswordReuse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-051" + Task = "Ensure 'Notify Unsafe App' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyUnsafeApp" ` + | Select-Object -ExpandProperty "NotifyUnsafeApp" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-052" + Task = "Ensure 'Service Enabled' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "ServiceEnabled" ` + | Select-Object -ExpandProperty "ServiceEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-053" + Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-054" + Task = "Set registry value 'EnableNetBIOS' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-055" + Task = "Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-056" + Task = "Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-057" + Task = "Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-058" + Task = "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-059" + Task = "Set registry value 'RpcUseNamedPipeProtocol' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-060" + Task = "Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-061" + Task = "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-062" + Task = "Set registry value 'ForceKerberosForRpc' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-063" + Task = "Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-064" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-065" + Task = "Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fUseMailto" ` + | Select-Object -ExpandProperty "fUseMailto" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-066" + Task = "Solicited Remote Assistance must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-067" + Task = "Ensure 'Configure Solicited Remote Assistance' is not set (fAllowFullControl)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowFullControl" ` + | Select-Object -ExpandProperty "fAllowFullControl" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-068" + Task = "Ensure 'Configure Solicited Remote Assistance' is not set (MaxTicketExpiry)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxTicketExpiry" ` + | Select-Object -ExpandProperty "MaxTicketExpiry" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-069" + Task = "Ensure 'Configure Solicited Remote Assistance' is not set (MaxTicketExpiryUnits)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxTicketExpiryUnits" ` + | Select-Object -ExpandProperty "MaxTicketExpiryUnits" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-070" + Task = "Ensure 'Set client connection encryption level' is set to 'High Level'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-071" + Task = "Ensure 'Always prompt for password upon connection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-072" + Task = "Ensure 'Do not allow drive redirection' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-073" + Task = "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-074" + Task = "Ensure 'Require secure RPC communication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-076" + Task = "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-077" + Task = "Ensure 'Windows Defender Firewall: Prohibit notifications' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-078" + Task = "Ensure 'Windows Defender Firewall: Protect all network connections' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-079" + Task = "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-080" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-081" + Task = "Ensure 'Windows Defender Firewall: Allow logging' is set to '16384' (LogFileSize)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if ($regValue -ne 16384) { + return @{ + Message = "Registry value is '$regValue'. Expected: 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-082" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-083" + Task = "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-084" + Task = "Private: Set registry value 'DisableNotifications' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-085" + Task = "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-086" + Task = "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-087" + Task = "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-088" + Task = "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-089" + Task = "Set registry value 'LogFileSize' to 16384." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if ($regValue -ne 16384) { + return @{ + Message = "Registry value is '$regValue'. Expected: 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-090" + Task = "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultOutboundAction" ` + | Select-Object -ExpandProperty "DefaultOutboundAction" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-091" + Task = "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "EnableFirewall" ` + | Select-Object -ExpandProperty "EnableFirewall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-092" + Task = "Public: Set registry value 'DisableNotifications' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DisableNotifications" ` + | Select-Object -ExpandProperty "DisableNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-093" + Task = "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalIPsecPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalIPsecPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-094" + Task = "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "AllowLocalPolicyMerge" ` + | Select-Object -ExpandProperty "AllowLocalPolicyMerge" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-095" + Task = "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" ` + -Name "DefaultInboundAction" ` + | Select-Object -ExpandProperty "DefaultInboundAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-096" + Task = "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogFileSize" ` + | Select-Object -ExpandProperty "LogFileSize" + + if ($regValue -ne 16384) { + return @{ + Message = "Registry value is '$regValue'. Expected: 16384" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-097" + Task = "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogDroppedPackets" ` + | Select-Object -ExpandProperty "LogDroppedPackets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-098" + Task = "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-099" + Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-100" + Task = "Ensure 'Enable local admin password management' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-101" + Task = "Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-102" + Task = "Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-103" + Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-104" + Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-105" + Task = "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-106" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-107" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-108" + Task = "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-109" + Task = "Ensure 'NetBT NodeType configuration' is set to 'P-node (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-110" + Task = "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-111" + Task = "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-112" + Task = "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Highest protection, source routing is completely disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-113" + Task = "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-114" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -ne 900)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-115" + Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-116" + Task = "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-117" + Task = "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-118" + Task = "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-119" + Task = "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-120" + Task = "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-121" + Task = "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-122" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if (($regValue -ne 537395200)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-123" + Task = "(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-124" + Task = "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-125" + Task = "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if (($regValue -ne 537395200)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-126" + Task = "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-127" + Task = "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-128" + Task = "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "sealsecurechannel" ` + | Select-Object -ExpandProperty "sealsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-129" + Task = "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-130" + Task = "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-131" + Task = "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-132" + Task = "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-133" + Task = "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-134" + Task = "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-135" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-136" + Task = "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-137" + Task = "User Account Control must be configured to detect application installations and prompt for elevation" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-138" + Task = "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-139" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-140" + Task = "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-141" + Task = "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-189" + Task = "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-190" + Task = "Ensure 'Select cloud protection level' is set to 'Enabled:High blocking level'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "MpCloudBlockLevel" ` + | Select-Object -ExpandProperty "MpCloudBlockLevel" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-191" + Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-192" + Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-193" + Task = "Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-194" + Task = "Ensure 'Turn on behavior monitoring' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-195" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-196" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-197" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-198" + Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'." + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "DisableBlockAtFirstSeen" ` + | Select-Object -ExpandProperty "DisableBlockAtFirstSeen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-199" + Task = "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-200" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-201" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-202" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-203" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-204" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-205" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-206" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-207" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe))'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-208" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB' is configured" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-209" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-210" + Task = "(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-211" + Task = "Ensure 'Configure Attack Surface Reduction rules: Use advanced protection against ransomware'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" ` + -Name "c1db55ab-c21a-4637-bb3f-a12568109d35" ` + | Select-Object -ExpandProperty "c1db55ab-c21a-4637-bb3f-a12568109d35" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-212" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-213" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-214" + Task = "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Block'" + Test = { + try { + if ($avstatus) { + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-215" + Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-216" + Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-217" + Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-218" + Task = "Set registry value 'CheckExeSignatures' to yes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-219" + Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-220" + Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-221" + Task = "Set registry value 'Isolation' to PMEM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-222" + Task = "Ensure 'Internet Explorer Processes for MK protocol' is not enabled (Reserved)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-223" + Task = "Ensure 'Internet Explorer Processes for MK protocol' is not enabled (iexplore.exe)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-224" + Task = " Ensure 'Internet Explorer Processes for MK protocol' is not enabled (explorer.exe)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-225" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-226" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_MIME_HANDLING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-227" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_MIME_HANDLING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-228" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-229" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-230" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-231" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-232" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-233" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-234" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-235" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-236" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-237" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_SECURITYBAND)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-238" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_SECURITYBAND)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-239" + Task = "Set 'Notification bar' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-240" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-241" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-242" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-243" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-244" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-245" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-246" + Task = "Set 'Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-247" + Task = "Set 'Prevent Bypassing SmartScreen Filter Warnings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-248" + Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-249" + Task = "Set 'Turn off Crash Detection' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-250" + Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-251" + Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-252" + Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-253" + Task = "Set 'Security Zones: Do not allow users to add/delete sites' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-254" + Task = "Set 'Security Zones: Do not allow users to change policies' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-255" + Task = "Set 'Security Zones: Use only machine settings' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-256" + Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-257" + Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-258" + Task = "Set 'Turn on certificate address mismatch warning' to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-259" + Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-260" + Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if (($regValue -ne 2560)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-261" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-262" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-263" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-264" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. (Lockdown_Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-265" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. (Lockdown_Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-266" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-267" + Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-268" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-269" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-270" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-271" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-272" + Task = "Ensure 'Java permissions' is set to 'High safety'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if (($regValue -ne 65536)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-273" + Task = "Ensure 'Java permissions' is set to 'High safety'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if (($regValue -ne 65536)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-274" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-275" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-276" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-277" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-278" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-279" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-280" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-281" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-282" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-283" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-284" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-285" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-286" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-287" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-288" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-289" + Task = "Ensure 'Userdata persistence' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-290" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-291" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-292" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-293" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-294" + Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if (($regValue -ne 65536)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-295" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-296" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-297" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-298" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-299" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-300" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-301" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-302" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-303" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-304" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-305" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-306" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-307" + Task = "Set registry value '140C' to 3. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-308" + Task = "Ensure 'Allow META REFRESH' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-309" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-310" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-311" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-312" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-313" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-314" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-315" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-316" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-317" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-318" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-319" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-320" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-321" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-322" + Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-323" + Task = "Ensure 'Scripting of Java applets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-324" + Task = "Ensure 'Allow file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-325" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-326" + Task = "Ensure 'Allow active scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-327" + Task = "Ensure 'Logon options' is set to 'Anonymous logon'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-328" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-329" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-330" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-331" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-332" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-333" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-334" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-335" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-336" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-337" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-338" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-339" + Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-340" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-341" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-342" + Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-343" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-344" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-345" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-346" + Task = "Set registry value '140C' to 3. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-347" + Task = "Set 'Turn on the auto-complete feature for user names and passwords on forms' to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-348" + Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-349" + Task = "Set registry value 'FormSuggest Passwords' to no." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-351" + Task = "Ensure 'Allow enhanced PINs for startup' is set 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-352" + Task = "Set registry value 'RDVDenyCrossOrg' to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-353" + Task = "Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-354" + Task = "Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-355" + Task = "Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-356" + Task = "Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-357" + Task = "Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-358" + Task = "Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the SBP2 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-359" + Task = "Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-368" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-369" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -eq 3) { + return @{ + Message = "Set to 'Secure Boot and DMA Protection' which is more secure." + Status = "True" + } + } + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-370" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-371" + Task = "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-372" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-373" + Task = "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-374" + Task = "Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureKernelShadowStacksLaunch" ` + | Select-Object -ExpandProperty "ConfigureKernelShadowStacksLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-375" + Task = "Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-376" + Task = "Toast notifications to the lock screen must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#SecurityOptions.ps1 new file mode 100644 index 0000000..64418af --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#SecurityOptions.ps1 @@ -0,0 +1,26 @@ +[AuditTest] @{ + Id = "SecurityOption-142" + Task = "Anonymous SID/Name translation must not be allowed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#UserRights.ps1 new file mode 100644 index 0000000..60fbc6b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Microsoft-22H2#UserRights.ps1 @@ -0,0 +1,875 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "UserRight-143" + Task = "Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-144" + Task = "Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-145" + Task = "Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-146" + Task = "Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-147" + Task = "Ensure 'Deny log on through Remote Desktop Services' to include 'Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-148" + Task = "Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-149" + Task = "Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-150" + Task = "Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-151" + Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-152" + Task = "Ensure 'Deny access to this computer from the network' is set to 'Local account'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-153" + Task = "Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-154" + Task = "Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-155" + Task = "Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-156" + Task = "Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-157" + Task = "Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-158" + Task = "The Create a pagefile user right must only be assigned to the Administrators group." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-159" + Task = "Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-160" + Task = "Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-161" + Task = "Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-162" + Task = "Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-163" + Task = "Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-164" + Task = "Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-165" + Task = "Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..01118ef --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies.ps1 @@ -0,0 +1,255 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15 -or $setPolicy -gt 99999)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 99999 -or $setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..01bc89f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies.ps1 @@ -0,0 +1,1616 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..8daef46 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings.ps1 @@ -0,0 +1,16049 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MaxDevicePasswordFailedAttempts" ` + | Select-Object -ExpandProperty "MaxDevicePasswordFailedAttempts" + + if (($regValue -gt 10 -or $regValue -le 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 10 and x > 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 1 - 'User is prompted when the key is first used' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.39" + Task = "(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.40" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.41" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.42" + Task = "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.43" + Task = "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.44" + Task = "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.45" + Task = "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "DoHPolicy" ` + | Select-Object -ExpandProperty "DoHPolicy" + + if (($regValue -ne 2) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2 or x == 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.3" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if (($regValue -ne 255)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.23.2.1" + Task = "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" ` + -Name "AutoConnectAllowedOEM" ` + | Select-Object -ExpandProperty "AutoConnectAllowedOEM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionguardPolicy" ` + | Select-Object -ExpandProperty "RedirectionguardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if (($regValue -ne 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(L1) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 3) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 3 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(L1) Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureKernelShadowStacksLaunch" ` + | Select-Object -ExpandProperty "ConfigureKernelShadowStacksLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDs" ` + | Select-Object -ExpandProperty "DenyDeviceIDs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.2" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "PCI\CC_0C0A") { + return @{ + Message = "Registry value is '$regValue'. Expected: PCI\CC_0C0A" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceIDsRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceIDsRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.4" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 A" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the SBP2 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "1" ` + | Select-Object -ExpandProperty "1" + + if ($regValue -ne "{d48179be-ec20-11d1-b6b8-00c04fa372a7}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {d48179be-ec20-11d1-b6b8-00c04fa372a7}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 B" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the IEC-61883 Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "2" ` + | Select-Object -ExpandProperty "2" + + if ($regValue -ne "{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 C" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 devices that support the AVC Protocol Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "3" ` + | Select-Object -ExpandProperty "3" + + if ($regValue -ne "{c06ff265-ae09-48f0-812c-16753d7cba83}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {c06ff265-ae09-48f0-812c-16753d7cba83}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.5 D" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' [IEEE 1394 Host Bus Controller Class]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" ` + -Name "4" ` + | Select-Object -ExpandProperty "4" + + if ($regValue -ne "{6bdd1fc1-810f-11d0-bec7-08002be2092f}") { + return @{ + Message = "Registry value is '$regValue'. Expected: {6bdd1fc1-810f-11d0-bec7-08002be2092f}" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.1.6" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.14 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.3" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.4" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.1" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.2" + Task = "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.3" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.4" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.5" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.6" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.48.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.50.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.2" + Task = "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx" ` + -Name "BlockNonAdminUserInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminUserInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.1" + Task = "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" ` + -Name "LetAppsActivateWithVoiceAboveLock" ` + | Select-Object -ExpandProperty "LetAppsActivateWithVoiceAboveLock" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.2" + Task = "(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "BlockHostedAppAccessWinRT" ` + | Select-Object -ExpandProperty "BlockHostedAppAccessWinRT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHardwareEncryption" ` + | Select-Object -ExpandProperty "FDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.11" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.12" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.13" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.2" + Task = "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSAllowSecureBootForIntegrity" ` + | Select-Object -ExpandProperty "OSAllowSecureBootForIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.10" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.11" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHardwareEncryption" ` + | Select-Object -ExpandProperty "OSHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.12" + Task = "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "OSPassphrase" ` + | Select-Object -ExpandProperty "OSPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.13" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.2.14" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.10" + Task = "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHardwareEncryption" ` + | Select-Object -ExpandProperty "RDVHardwareEncryption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.11" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.12" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.13" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.14" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.3.15" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.4" + Task = "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "DisableExternalDMAUnderLock" ` + | Select-Object -ExpandProperty "DisableExternalDMAUnderLock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.3" + Task = "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "NoLocalPasswordResetQuestions" ` + | Select-Object -ExpandProperty "NoLocalPasswordResetQuestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.1" + Task = "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeliveryOptimization" ` + -Name "DODownloadMode" ` + | Select-Object -ExpandProperty "DODownloadMode" + + if (($regValue -eq 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x != 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.4" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.3" + Task = "(L2) Ensure 'Turn off files from Office.com in Quick access view' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "DisableGraphRecentItems" ` + | Select-Object -ExpandProperty "DisableGraphRecentItems" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.4" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.5" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.33.1" + Task = "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup" ` + -Name "DisableHomeGroup" ` + | Select-Object -ExpandProperty "DisableHomeGroup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.7.1" + Task = "(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.1" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.2" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if($avstatus){ + + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.1" + Task = "(L1) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AuditApplicationGuard" ` + | Select-Object -ExpandProperty "AuditApplicationGuard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.2" + Task = "(L1) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowCameraMicrophoneRedirection" ` + | Select-Object -ExpandProperty "AllowCameraMicrophoneRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.3" + Task = "(L1) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowPersistence" ` + | Select-Object -ExpandProperty "AllowPersistence" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.4" + Task = "(L1) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "SaveFilesToHost" ` + | Select-Object -ExpandProperty "SaveFilesToHost" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.5" + Task = "(L1) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AppHVSIClipboardSettings" ` + | Select-Object -ExpandProperty "AppHVSIClipboardSettings" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.44.6" + Task = "(L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI" ` + -Name "AllowAppHVSI_ProviderSet" ` + | Select-Object -ExpandProperty "AllowAppHVSI_ProviderSet" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + "
Warning: Defender Application Guard is deprecated. More info." + Status = "False" + } + } + + return @{ + Message = "Compliant" + "
Warning: Defender Application Guard is deprecated. More info." + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" ` + -Name "EnableFeeds" ` + | Select-Object -ExpandProperty "EnableFeeds" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.2" + Task = "(L2) Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" ` + -Name "DisableCloudClipboardIntegration" ` + | Select-Object -ExpandProperty "DisableCloudClipboardIntegration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.3" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.3" + Task = "(L1) Ensure 'Allow Cortana' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortana" ` + | Select-Object -ExpandProperty "AllowCortana" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.4" + Task = "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCortanaAboveLock" ` + | Select-Object -ExpandProperty "AllowCortanaAboveLock" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.5" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.6" + Task = "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowSearchToUseLocation" ` + | Select-Object -ExpandProperty "AllowSearchToUseLocation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.7" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.63.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.1" + Task = "(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableStoreApps" ` + | Select-Object -ExpandProperty "DisableStoreApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.2" + Task = "(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RequirePrivateStoreOnly" ` + | Select-Object -ExpandProperty "RequirePrivateStoreOnly" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.3" + Task = "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.4" + Task = "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "DisableOSUpgrade" ` + | Select-Object -ExpandProperty "DisableOSUpgrade" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.66.5" + Task = "(L2) Ensure 'Turn off the Store application' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.72.1" + Task = "(L1) Ensure 'Allow widgets' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" ` + -Name "AllowNewsAndInterests" ` + | Select-Object -ExpandProperty "AllowNewsAndInterests" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.1" + Task = "(L1) Ensure 'Notify Malicious' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyMalicious" ` + | Select-Object -ExpandProperty "NotifyMalicious" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.2" + Task = "(L1) Ensure 'Notify Password Reuse' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyPasswordReuse" ` + | Select-Object -ExpandProperty "NotifyPasswordReuse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.3" + Task = "(L1) Ensure 'Notify Unsafe App' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "NotifyUnsafeApp" ` + | Select-Object -ExpandProperty "NotifyUnsafeApp" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.1.4" + Task = "(L1) Ensure 'Service Enabled' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components" ` + -Name "ServiceEnabled" ` + | Select-Object -ExpandProperty "ServiceEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.3.1" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.3.2" + Task = "(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.78.1" + Task = "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR" ` + -Name "AllowGameDVR" ` + | Select-Object -ExpandProperty "AllowGameDVR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L1) Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\Biometrics" ` + -Name "EnableESSwithSupportedPeripherals" ` + | Select-Object -ExpandProperty "EnableESSwithSupportedPeripherals" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.1" + Task = "(L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.1" + Task = "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowClipboardRedirection" ` + | Select-Object -ExpandProperty "AllowClipboardRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2" + Task = "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox" ` + -Name "AllowNetworking" ` + | Select-Object -ExpandProperty "AllowNetworking" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.3" + Task = "(L1) Ensure 'Remove access to `"Pause updates`" feature' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "SetDisablePauseUXAccess" ` + | Select-Object -ExpandProperty "SetDisablePauseUXAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 C" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (BranchReadinessLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "BranchReadinessLevel" ` + | Select-Object -ExpandProperty "BranchReadinessLevel" + + if (($regValue -ne 32)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 32" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.1" + Task = "(L1) Ensure 'Enable screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.2" + Task = "(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..55176b4 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions.ps1 @@ -0,0 +1,130 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights.ps1 new file mode 100644 index 0000000..5e3fb5c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights.ps1 @@ -0,0 +1,1311 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Configure 'Create symbolic links' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + "S-1-5-20" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @() | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else{ + [AuditTest] @{ + Id = "2.2.29" + Task = "(L2) Configure 'Log on as a service' [Hyper-V-Feature installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeServiceLogonRight"] + $identityAccounts = @( + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeServiceLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-545" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AccountPolicies.ps1 new file mode 100644 index 0000000..d18b2b2 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AccountPolicies.ps1 @@ -0,0 +1,255 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 10 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 10 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AuditPolicies.ps1 new file mode 100644 index 0000000..701ef72 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#AuditPolicies.ps1 @@ -0,0 +1,1388 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit Process Creation' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Logoff' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Special Logon' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#RegistrySettings.ps1 new file mode 100644 index 0000000..3488536 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows 7-CIS-3.1.0#RegistrySettings.ps1 @@ -0,0 +1,10042 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "2") { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.2" + Task = "(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -lt 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.14.1" + Task = "(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.9" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.3" + Task = "(L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.4" + Task = "(L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.5" + Task = "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.6" + Task = "(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.8" + Task = "(L1) Ensure 'Media Center Extender Service (Mcx2Svc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mcx2Svc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.9" + Task = "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.10" + Task = "(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.11" + Task = "(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.12" + Task = "(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.13" + Task = "(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.14" + Task = "(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.15" + Task = "(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.16" + Task = "(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.17" + Task = "(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.18" + Task = "(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.19" + Task = "(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.20" + Task = "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.21" + Task = "(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.22" + Task = "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.23" + Task = "(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.24" + Task = "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.25" + Task = "(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.26" + Task = "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.27" + Task = "(L1) Ensure 'Telnet (TlntSvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.28" + Task = "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.29" + Task = "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.30" + Task = "(L1) Ensure 'Windows CardSpace (idsvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.31" + Task = "(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.32" + Task = "(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.33" + Task = "(L1) Ensure 'Windows Media Center Receiver Service (ehRecvr)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehRecvr" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.34" + Task = "(L1) Ensure 'Windows Media Center Scheduler Service (ehSched)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehSched" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.35" + Task = "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.36" + Task = "(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.37" + Task = "(L1) Ensure 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.38" + Task = "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.8" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.2.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.3" + Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if (($regValue -lt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.2.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.4" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.5" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.6" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters" ` + -Name "disablesavepassword" ` + | Select-Object -ExpandProperty "disablesavepassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.10" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if (($regValue -gt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.12" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.13" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4.1" + Task = "(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11.3" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.1" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClasses" ` + | Select-Object -ExpandProperty "DenyDeviceClasses" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.1.3" + Task = "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" ` + -Name "DenyDeviceClassesRetroactive" ` + | Select-Object -ExpandProperty "DenyDeviceClassesRetroactive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.7.2" + Task = "(L1) Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings" ` + -Name "AllowRemoteRPC" ` + | Select-Object -ExpandProperty "AllowRemoteRPC" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.21.4" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.6" + Task = "(L2) Ensure 'Turn off Internet File Association service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInternetOpenWith" ` + | Select-Object -ExpandProperty "NoInternetOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.7" + Task = "(L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.8" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.9" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.10" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.11" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.12" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.22.1.13" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.27.1" + Task = "(L1) Ensure 'Always use classic logon' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LogonType" ` + | Select-Object -ExpandProperty "LogonType" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.33.6.1" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.33.6.2" + Task = "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.33.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.33.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.36.2" + Task = "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.44.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.44.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.49.1.1" + Task = "(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.49.1.2" + Task = "(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.8.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "FDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: This value should be empty." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecovery" ` + | Select-Object -ExpandProperty "FDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVManageDRA" ` + | Select-Object -ExpandProperty "FDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryPassword" ` + | Select-Object -ExpandProperty "FDVRecoveryPassword" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRecoveryKey" ` + | Select-Object -ExpandProperty "FDVRecoveryKey" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "FDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "FDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "FDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "FDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.10" + Task = "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVPassphrase" ` + | Select-Object -ExpandProperty "FDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.11" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVAllowUserCert" ` + | Select-Object -ExpandProperty "FDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.1.12" + Task = "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "FDVEnforceUserCert" ` + | Select-Object -ExpandProperty "FDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.1" + Task = "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "UseEnhancedPin" ` + | Select-Object -ExpandProperty "UseEnhancedPin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecovery" ` + | Select-Object -ExpandProperty "OSRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSManageDRA" ` + | Select-Object -ExpandProperty "OSManageDRA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryPassword" ` + | Select-Object -ExpandProperty "OSRecoveryPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRecoveryKey" ` + | Select-Object -ExpandProperty "OSRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSHideRecoveryPage" ` + | Select-Object -ExpandProperty "OSHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "OSActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "OSRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "OSRequireActiveDirectoryBackup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.10" + Task = "(BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "MinimumPIN" ` + | Select-Object -ExpandProperty "MinimumPIN" + + if (($regValue -lt 7)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.11" + Task = "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseAdvancedStartup" ` + | Select-Object -ExpandProperty "UseAdvancedStartup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.12" + Task = "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EnableBDEWithNoTPM" ` + | Select-Object -ExpandProperty "EnableBDEWithNoTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.13" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPM" ` + | Select-Object -ExpandProperty "UseTPM" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.14" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMPIN" ` + | Select-Object -ExpandProperty "UseTPMPIN" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.15" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKey" ` + | Select-Object -ExpandProperty "UseTPMKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.2.16" + Task = "(BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "UseTPMKeyPIN" ` + | Select-Object -ExpandProperty "UseTPMKeyPIN" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.1" + Task = "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDiscoveryVolumeType" ` + | Select-Object -ExpandProperty "RDVDiscoveryVolumeType" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: ''" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.2" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecovery" ` + | Select-Object -ExpandProperty "RDVRecovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.3" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVManageDRA" ` + | Select-Object -ExpandProperty "RDVManageDRA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.4" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryPassword" ` + | Select-Object -ExpandProperty "RDVRecoveryPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.5" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRecoveryKey" ` + | Select-Object -ExpandProperty "RDVRecoveryKey" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.6" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVHideRecoveryPage" ` + | Select-Object -ExpandProperty "RDVHideRecoveryPage" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.7" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.8" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVActiveDirectoryInfoToStore" ` + | Select-Object -ExpandProperty "RDVActiveDirectoryInfoToStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.9" + Task = "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "RDVRequireActiveDirectoryBackup" ` + | Select-Object -ExpandProperty "RDVRequireActiveDirectoryBackup" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.10" + Task = "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVPassphrase" ` + | Select-Object -ExpandProperty "RDVPassphrase" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.11" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVAllowUserCert" ` + | Select-Object -ExpandProperty "RDVAllowUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.12" + Task = "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVEnforceUserCert" ` + | Select-Object -ExpandProperty "RDVEnforceUserCert" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.13" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE" ` + -Name "RDVDenyWriteAccess" ` + | Select-Object -ExpandProperty "RDVDenyWriteAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.3.14" + Task = "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE" ` + -Name "RDVDenyCrossOrg" ` + | Select-Object -ExpandProperty "RDVDenyCrossOrg" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.11.4" + Task = "(BL) Ensure 'Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)' is set to 'Enabled: AES 256-bit with Diffuser'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" ` + -Name "EncryptionMethod" ` + | Select-Object -ExpandProperty "EncryptionMethod" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.15.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.18.1" + Task = "(L1) Ensure 'Turn off desktop gadgets' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar" ` + -Name "TurnOffSidebar" ` + | Select-Object -ExpandProperty "TurnOffSidebar" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.18.2" + Task = "(L1) Ensure 'Turn Off user-installed desktop gadgets' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar" ` + -Name "TurnOffUserInstalledGadgets" ` + | Select-Object -ExpandProperty "TurnOffUserInstalledGadgets" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(L1) Ensure 'EMET 5.52' or higher is installed" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EMET_Service" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.3" + Task = "(L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Internet Explorer\iexplore.exe" ` + | Select-Object -ExpandProperty "*\Internet Explorer\iexplore.exe" + + if ($regValue -ne "+EAF+ eaf_modules:mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll +ASR asr_modules:npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll asr_zones:1;2") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll +ASR asr_modules:npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll asr_zones:1;2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.4" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Mozilla Thunderbird\thunderbird.exe" ` + | Select-Object -ExpandProperty "*\Mozilla Thunderbird\thunderbird.exe" + + if ($regValue -notmatch "^$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.5" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Java\jre*\bin\javaws.exe" ` + | Select-Object -ExpandProperty "*\Java\jre*\bin\javaws.exe" + + if ($regValue -ne "-HeapSpray") { + return @{ + Message = "Registry value is '$regValue'. Expected: -HeapSpray" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.6" + Task = "(L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "ASLR" ` + | Select-Object -ExpandProperty "ASLR" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.7" + Task = "(L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "DEP" ` + | Select-Object -ExpandProperty "DEP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.8" + Task = "(L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "SEHOP" ` + | Select-Object -ExpandProperty "SEHOP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup" ` + -Name "DisableHomeGroup" ` + | Select-Object -ExpandProperty "DisableHomeGroup" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.2" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.52.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.52.2" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSync" ` + | Select-Object -ExpandProperty "DisableFileSync" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.2.1" + Task = "(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDenyTSConnections" ` + | Select-Object -ExpandProperty "fDenyTSConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.9.3" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.59.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.60.2" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.76.3.1" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.76.14" + Task = "(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.81.2.1" + Task = "(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent" ` + -Name "DefaultConsent" ` + | Select-Object -ExpandProperty "DefaultConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.85.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.95.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.97.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.98.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.101.2" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.101.3" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.101.4" + Task = "(L1) Ensure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAUAsDefaultShutdownOption" ` + | Select-Object -ExpandProperty "NoAUAsDefaultShutdownOption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.101.5" + Task = "(L1) Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAUShutdownOption" ` + | Select-Object -ExpandProperty "NoAUShutdownOption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.101.6" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings.ps1 new file mode 100644 index 0000000..be968cb --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings.ps1 @@ -0,0 +1,144 @@ +[AuditTest] @{ + Id = "2.0" + Task = "Ensure 'Enable DCOM Hardening' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" ` + -Name "RequireIntegrityActivationAuthenticationLevel" ` + | Select-Object -ExpandProperty "RequireIntegrityActivationAuthenticationLevel" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Ensure 'Raise Authentication Level' is set to 'Raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat" ` + -Name "RaiseActivationAuthenticationLevel" ` + | Select-Object -ExpandProperty "RaiseActivationAuthenticationLevel" + + if (($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.0" + Task = "IPv6 Configuration Policy: Prefer IPv4 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0x20 (32)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if (($regValue -ne 32)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 32" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.0" + Task = "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights.ps1 new file mode 100644 index 0000000..701495e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights.ps1 @@ -0,0 +1,102 @@ +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "1.0" + Task = "Ensure 'Debug programs' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDebugPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..7dd897b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies.ps1 @@ -0,0 +1,255 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 365 -or $setPolicy -le 0) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0 " + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 1) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 15 -or $setPolicy -gt 99999) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 and x <= 99999" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 99999 -or $setPolicy -lt 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 and x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..62e297d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies.ps1 @@ -0,0 +1,1922 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..fd7f09a --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings.ps1 @@ -0,0 +1,12455 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.2" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "vulnerablechannelallowlist" ` + | Select-Object -ExpandProperty "vulnerablechannelallowlist" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.4" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.5" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if ($regValue -le 0 -or $regValue -gt 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -gt 900 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if ($regValue -gt 14 -or $regValue -lt 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if ($regValue -gt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +$CARoleStatus = $null +$WINSStatus = $null +try { + $CARoleStatus = (Get-WindowsFeature -Name ADCS-Cert-Authority -ErrorAction Stop).Installed + $WINSStatus = (Get-WindowsFeature -Name WINS -ErrorAction Stop).Installed +} catch { + Write-Verbose "Get-WindowsFeature is not installed." +} +[AuditTest] @{ + Id = "2.3.10.9 A" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' [WINS Role Feature and CA Role Service NOT installed]" + Test = { + try { + if (($CARoleStatus -or $WINSStatus) -eq $true){ + return @{ + Message = "WINS Role Feature or CA Role Service are installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 B" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [CA Role Service installed]" + Test = { + try { + if ($CARoleStatus -eq $false){ + return @{ + Message = "CA Role Service NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 C" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature installed]" + Test = { + try { + if ($WINSStatus -eq $false){ + return @{ + Message = "WINS Role Feature NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.8" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.8" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.10" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if ($regValue -lt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if ($regValue -gt 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'LSA Protection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if ($regValue -gt 90) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if ($regValue -ne 2 -and $regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`" and `"Require Integrity`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.2" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.3" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.4" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.5" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.6" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.1" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.32.6.2" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.34.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.46.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.48.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.50.1.1" + Task = "(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.50.1.2" + Task = "(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.1" + Task = "(L1) Ensure 'EMET 5.52' or higher is installed" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EMET_Service" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.2 A" + Task = "(L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "AntiDetours" ` + | Select-Object -ExpandProperty "AntiDetours" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.2 B" + Task = "(L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "BannedFunctions" ` + | Select-Object -ExpandProperty "BannedFunctions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.2 C" + Task = "(L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "DeepHooks" ` + | Select-Object -ExpandProperty "DeepHooks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.2 D" + Task = "(L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "ExploitAction" ` + | Select-Object -ExpandProperty "ExploitAction" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.3" + Task = "(L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Internet Explorer\iexplore.exe" ` + | Select-Object -ExpandProperty "*\Internet Explorer\iexplore.exe" + + if ($regValue -ne "+EAF+ eaf_modules:mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll +ASR asr_modules:npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll asr_zones:1;2") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll +ASR asr_modules:npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll asr_zones:1;2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 A" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\7-Zip\7z.exe" ` + | Select-Object -ExpandProperty "*\7-Zip\7z.exe" + + if ($regValue -ne "-EAF") { + return @{ + Message = "Registry value is '$regValue'. Expected: -EAF" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AA" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Windows Live\Photo Gallery\WLXPhotoGallery.exe" ` + | Select-Object -ExpandProperty "*\Windows Live\Photo Gallery\WLXPhotoGallery.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AB" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Windows Live\Writer\WindowsLiveWriter.exe" ` + | Select-Object -ExpandProperty "*\Windows Live\Writer\WindowsLiveWriter.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AC" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Windows Media Player\wmplayer.exe" ` + | Select-Object -ExpandProperty "*\Windows Media Player\wmplayer.exe" + + if ($regValue -ne "-EAF -MandatoryASLR") { + return @{ + Message = "Registry value is '$regValue'. Expected: -EAF -MandatoryASLR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AD" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\WinRAR\rar.exe" ` + | Select-Object -ExpandProperty "*\WinRAR\rar.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AE" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\WinRAR\unrar.exe" ` + | Select-Object -ExpandProperty "*\WinRAR\unrar.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AF" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\WinRAR\winrar.exe" ` + | Select-Object -ExpandProperty "*\WinRAR\winrar.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AG" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\WinZip\winzip32.exe" ` + | Select-Object -ExpandProperty "*\WinZip\winzip32.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 AH" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\WinZip\winzip64.exe" ` + | Select-Object -ExpandProperty "*\WinZip\winzip64.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 B" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\7-Zip\7zG.exe" ` + | Select-Object -ExpandProperty "*\7-Zip\7zG.exe" + + if ($regValue -ne "-EAF") { + return @{ + Message = "Registry value is '$regValue'. Expected: -EAF" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 C" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\7-Zip\7zFM.exe" ` + | Select-Object -ExpandProperty "*\7-Zip\7zFM.exe" + + if ($regValue -ne "-EAF") { + return @{ + Message = "Registry value is '$regValue'. Expected: -EAF" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 D" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Adobe\Adobe Photoshop CS*\Photoshop.exe" ` + | Select-Object -ExpandProperty "*\Adobe\Adobe Photoshop CS*\Photoshop.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 E" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Foxit Reader\Foxit Reader.exe" ` + | Select-Object -ExpandProperty "*\Foxit Reader\Foxit Reader.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 F" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Google\Chrome\Application\chrome.exe" ` + | Select-Object -ExpandProperty "*\Google\Chrome\Application\chrome.exe" + + if ($regValue -ne "+EAF+ eaf_modules:chrome_child.dll") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:chrome_child.dll" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 G" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Google\Google Talk\googletalk.exe" ` + | Select-Object -ExpandProperty "*\Google\Google Talk\googletalk.exe" + + if ($regValue -ne "-DEP") { + return @{ + Message = "Registry value is '$regValue'. Expected: -DEP" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 H" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\iTunes\iTunes.exe" ` + | Select-Object -ExpandProperty "*\iTunes\iTunes.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 I" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Microsoft Lync\communicator.exe" ` + | Select-Object -ExpandProperty "*\Microsoft Lync\communicator.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 J" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\mIRC\mirc.exe" ` + | Select-Object -ExpandProperty "*\mIRC\mirc.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 K" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Mozilla Firefox\firefox.exe" ` + | Select-Object -ExpandProperty "*\Mozilla Firefox\firefox.exe" + + if ($regValue -ne "+EAF+ eaf_modules:mozjs.dll;xul.dll") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:mozjs.dll;xul.dll" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 L" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Mozilla Firefox\plugin-container.exe" ` + | Select-Object -ExpandProperty "*\Mozilla Firefox\plugin-container.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 M" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Mozilla Thunderbird\plugin-container.exe" ` + | Select-Object -ExpandProperty "*\Mozilla Thunderbird\plugin-container.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 N" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Mozilla Thunderbird\thunderbird.exe" ` + | Select-Object -ExpandProperty "*\Mozilla Thunderbird\thunderbird.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 O" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Opera\*\opera.exe" ` + | Select-Object -ExpandProperty "*\Opera\*\opera.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 P" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Opera\opera.exe" ` + | Select-Object -ExpandProperty "*\Opera\opera.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 Q" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Pidgin\pidgin.exe" ` + | Select-Object -ExpandProperty "*\Pidgin\pidgin.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 R" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\QuickTime\QuickTimePlayer.exe" ` + | Select-Object -ExpandProperty "*\QuickTime\QuickTimePlayer.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 S" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Real\RealPlayer\realconverter.exe" ` + | Select-Object -ExpandProperty "*\Real\RealPlayer\realconverter.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 T" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Real\RealPlayer\realplay.exe" ` + | Select-Object -ExpandProperty "*\Real\RealPlayer\realplay.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 U" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Safari\Safari.exe" ` + | Select-Object -ExpandProperty "*\Safari\Safari.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 V" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\SkyDrive\SkyDrive.exe" ` + | Select-Object -ExpandProperty "*\SkyDrive\SkyDrive.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 W" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Skype\Phone\Skype.exe" ` + | Select-Object -ExpandProperty "*\Skype\Phone\Skype.exe" + + if ($regValue -ne "-EAF") { + return @{ + Message = "Registry value is '$regValue'. Expected: -EAF" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 X" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\VideoLAN\VLC\vlc.exe" ` + | Select-Object -ExpandProperty "*\VideoLAN\VLC\vlc.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 Y" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Winamp\winamp.exe" ` + | Select-Object -ExpandProperty "*\Winamp\winamp.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.4 Z" + Task = "(L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Windows Live\Mail\wlmail.exe" ` + | Select-Object -ExpandProperty "*\Windows Live\Mail\wlmail.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 A" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Adobe\*\Reader\AcroRd32.exe" ` + | Select-Object -ExpandProperty "*\Adobe\*\Reader\AcroRd32.exe" + + if ($regValue -ne "+EAF+ eaf_modules:AcroRd32.dll;Acrofx32.dll;AcroForm.api") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:AcroRd32.dll;Acrofx32.dll;AcroForm.api" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 B" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Adobe\Acrobat*\Acrobat\Acrobat.exe" ` + | Select-Object -ExpandProperty "*\Adobe\Acrobat*\Acrobat\Acrobat.exe" + + if ($regValue -ne "+EAF+ eaf_modules:AcroRd32.dll;Acrofx32.dll;AcroForm.api") { + return @{ + Message = "Registry value is '$regValue'. Expected: +EAF+ eaf_modules:AcroRd32.dll;Acrofx32.dll;AcroForm.api" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 C" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Java\jre*\bin\java.exe" ` + | Select-Object -ExpandProperty "*\Java\jre*\bin\java.exe" + + if ($regValue -ne "-HeapSpray") { + return @{ + Message = "Registry value is '$regValue'. Expected: -HeapSpray" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 D" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Java\jre*\bin\javaw.exe" ` + | Select-Object -ExpandProperty "*\Java\jre*\bin\javaw.exe" + + if ($regValue -ne "-HeapSpray") { + return @{ + Message = "Registry value is '$regValue'. Expected: -HeapSpray" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 E" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Java\jre*\bin\javaws.exe" ` + | Select-Object -ExpandProperty "*\Java\jre*\bin\javaws.exe" + + if ($regValue -ne "-HeapSpray") { + return @{ + Message = "Registry value is '$regValue'. Expected: -HeapSpray" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 F" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\EXCEL.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\EXCEL.exe" + + if ($regValue -ne "+ASR asr_modules:flash*.ocx") { + return @{ + Message = "Registry value is '$regValue'. Expected: +ASR asr_modules:flash*.ocx" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 G" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\INFOPATH.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\INFOPATH.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 H" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\LYNC.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\LYNC.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 I" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\MSACCESS.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\MSACCESS.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 J" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\MSPUB.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\MSPUB.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 K" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\OIS.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\OIS.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 L" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\OUTLOOK.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\OUTLOOK.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 M" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\POWERPNT.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\POWERPNT.exe" + + if ($regValue -ne "+ASR asr_modules:flash*.ocx") { + return @{ + Message = "Registry value is '$regValue'. Expected: +ASR asr_modules:flash*.ocx" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 N" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\PPTVIEW.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\PPTVIEW.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 O" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\VISIO.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\VISIO.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 P" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\VPREVIEW.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\VPREVIEW.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 Q" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\OFFICE1*\WINWORD.exe" ` + | Select-Object -ExpandProperty "*\OFFICE1*\WINWORD.exe" + + if ($regValue -ne "+ASR asr_modules:flash*.ocx") { + return @{ + Message = "Registry value is '$regValue'. Expected: +ASR asr_modules:flash*.ocx" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.5 R" + Task = "(L1) Ensure 'Default Protections for Recommended Software' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults" ` + -Name "*\Windows NT\Accessories\wordpad.exe" ` + | Select-Object -ExpandProperty "*\Windows NT\Accessories\wordpad.exe" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.6" + Task = "(L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "ASLR" ` + | Select-Object -ExpandProperty "ASLR" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.7" + Task = "(L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "DEP" ` + | Select-Object -ExpandProperty "DEP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.24.8" + Task = "(L1) Ensure 'System SEHOP' is set to 'Enabled: Application Opt-Out'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings" ` + -Name "SEHOP" ` + | Select-Object -ExpandProperty "SEHOP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.1.1" + Task = "(L2) Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableWindowsLocationProvider" ` + | Select-Object -ExpandProperty "DisableWindowsLocationProvider" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.2" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.1" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.2" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.16" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.2" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSync" ` + | Select-Object -ExpandProperty "DisableFileSync" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if ($regValue -gt 900000 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.2" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.3" + Task = "(L2) Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "ConnectedSearchPrivacy" ` + | Select-Object -ExpandProperty "ConnectedSearchPrivacy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.77.2.1" + Task = "(L1) Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent" ` + -Name "DefaultConsent" ` + | Select-Object -ExpandProperty "DefaultConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.77.3" + Task = "(L1) Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "AutoApproveOSDumps" ` + | Select-Object -ExpandProperty "AutoApproveOSDumps" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.1" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.1" + Task = "(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.2" + Task = "(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.1" + Task = "(L1) Ensure 'Enable screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.2" + Task = "(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.1.3.3" + Task = "(L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveTimeOut" ` + | Select-Object -ExpandProperty "ScreenSaveTimeOut" + + if ($regValue -gt 900 -or $regValue -le 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.4.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.4.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.25.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.40.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..59b8d27 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions.ps1 @@ -0,0 +1,133 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights.ps1 new file mode 100644 index 0000000..4b34271 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights.ps1 @@ -0,0 +1,1937 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE") { + if ($name -eq "Enterprise Admins") { + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins") { + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($hyperVStatus -ne "Enabled") { +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators [Hyper-V-Feature NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else { +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if ($null -eq $currentUserRights -and $identityAccounts.Count -gt 0) { + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if ($currentUserRights.Count -lt $identityAccounts.Count) { + $users = "" + foreach ($currentUser in $currentUserRights) { + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-114" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($null -eq (Get-Module -Name ADFS)) { +[AuditTest] @{ + Id = "2.2.30 A" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.30 B" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016" + "S-1-5-80-2246541699-21809830-3603976364-117610243-975697593" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ((Get-WindowsFeature -Name web-server).installed -ne $true) { +[AuditTest] @{ + Id = "2.2.32 A" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else { +[AuditTest] @{ + Id = "2.2.32 B" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-32-568" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.33" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.43" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies.ps1 new file mode 100644 index 0000000..f69b0b9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "V-1097" + Task = "The number of allowed bad logon attempts must meet minimum requirements." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1098" + Task = "The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1099" + Task = "Windows 2012 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1104" + Task = "The maximum password age must meet requirements." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -eq 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1105" + Task = "The minimum password age must meet requirements." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -eq 0)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1107" + Task = "The password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1150" + Task = "The built-in Windows password complexity policy must be enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-2372" + Task = "Reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-6836" + Task = "Passwords must, at a minimum, be 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies.ps1 new file mode 100644 index 0000000..b4363b3 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies.ps1 @@ -0,0 +1,1217 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "V-26529 + V-26530" + Task = "The system must be configured to audit Account Logon - Credential Validation successes. The system must be configured to audit Account Logon - Credential Validation failures." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26533" + Task = "The system must be configured to audit Account Management - Other Account Management Events successes." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26535" + Task = "The system must be configured to audit Account Management - Security Group Management successes." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26537 + V-26538" + Task = "The system must be configured to audit Account Management - User Account Management successes. The system must be configured to audit Account Management - User Account Management failures." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26539" + Task = "The system must be configured to audit Detailed Tracking - Process Creation successes." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26540" + Task = "The system must be configured to audit Logon/Logoff - Logoff successes." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26541 + V-26542" + Task = "The system must be configured to audit Logon/Logoff - Logon successes. The system must be configured to audit Logon/Logoff - Logon failures." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26543" + Task = "The system must be configured to audit Logon/Logoff - Special Logon successes." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26546 + V-26547" + Task = "The system must be configured to audit Policy Change - Audit Policy Change successes. The system must be configured to audit Policy Change - Audit Policy Change failures." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26548" + Task = "The system must be configured to audit Policy Change - Authentication Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26549 + V-26550" + Task = "The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. The system must be configured to audit Privilege Use - Sensitive Privilege Use failures." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26551 + V-26552" + Task = "The system must be configured to audit System - IPsec Driver successes. The system must be configured to audit System - IPsec Driver failures." + Test = { + # Get the audit policy for the subcategory IPsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26553" + Task = "The system must be configured to audit System - Security State Change successes." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26555" + Task = "The system must be configured to audit System - Security System Extension successes." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-26557 + V-26558" + Task = "The system must be configured to audit System - System Integrity successes. The system must be configured to audit System - System Integrity failures." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-36667 + V-36668" + Task = "The system must be configured to audit Object Access - Removable Storage failures. The system must be configured to audit Object Access - Removable Storage successes." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-40200 + V-40202" + Task = "The system must be configured to audit Object Access - Central Access Policy Staging failures. The system must be configured to audit Object Access - Central Access Policy Staging successes." + Test = { + # Get the audit policy for the subcategory Central Policy Staging + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Central Policy Staging" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Central Policy Staging'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-57633" + Task = "The system must be configured to audit Policy Change - Authorization Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-78057 + V-78059" + Task = "Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes. Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-78061 + V-78063" + Task = "Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes. Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings.ps1 new file mode 100644 index 0000000..f7cb7c0 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings.ps1 @@ -0,0 +1,6330 @@ +[AuditTest] @{ + Id = "V-1075" + Task = "The shutdown option must not be available from the logon dialog box." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1089" + Task = "The required legal notice must be configured to display before console logon." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -ne "See message text below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message text below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1093" + Task = "Anonymous enumeration of shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1136" + Task = "Users must be forcibly disconnected when their logon hours expire." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableForcedLogoff" ` + | Select-Object -ExpandProperty "EnableForcedLogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1141" + Task = "Unencrypted passwords must not be sent to third-party SMB Servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1145" + Task = "Automatic logons must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1151" + Task = "The print driver installation privilege must be restricted to administrators." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1153" + Task = "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1154" + Task = "The Ctrl+Alt+Del security attention sequence for logons must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1162" + Task = "The Windows SMB server must perform SMB packet signing when possible." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-1163" + Task = "Outgoing secure channel traffic must be encrypted when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1164" + Task = "Outgoing secure channel traffic must be signed when possible." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1165" + Task = "The computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1166" + Task = "The Windows SMB client must be enabled to perform SMB packet signing when possible." + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-1171" + Task = "Ejection of removable NTFS media must be restricted to Administrators." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AllocateDASD" ` + | Select-Object -ExpandProperty "AllocateDASD" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1172" + Task = "Users must be warned in advance of their passwords expiring." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -lt 14)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 14" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1173" + Task = "The default permissions of global system objects must be increased." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-1174" + Task = "The amount of idle time required before suspending a session must be properly set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "autodisconnect" ` + | Select-Object -ExpandProperty "autodisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-11806" + Task = "The system must be configured to prevent the display of the last username on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14228" + Task = "Auditing the Access of Global System Objects must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "AuditBaseObjects" ` + | Select-Object -ExpandProperty "AuditBaseObjects" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14230" + Task = "Audit policy using subcategories must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14232" + Task = "IPSec Exemptions must be limited." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC" ` + -Name "NoDefaultExempt" ` + | Select-Object -ExpandProperty "NoDefaultExempt" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14234" + Task = "User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14236" + Task = "User Account Control must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14237" + Task = "User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14239" + Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14240" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14241" + Task = "User Account Control must switch to the secure desktop when prompting for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14242" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14243" + Task = "Administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14247" + Task = "Passwords must not be saved in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14249" + Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14253" + Task = "Unauthenticated RPC clients must be restricted from connecting to the RPC server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14259" + Task = "Printing over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14260" + Task = "Downloading print driver packages over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14261" + Task = "Windows must be prevented from using Windows Update to search for drivers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching" ` + -Name "DontSearchWindowsUpdate" ` + | Select-Object -ExpandProperty "DontSearchWindowsUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14268" + Task = "Zone information must be preserved when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14269" + Task = "Mechanisms for removing zone information from file attachments must be hidden." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "HideZoneInfoOnProperties" ` + | Select-Object -ExpandProperty "HideZoneInfoOnProperties" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-14270" + Task = "The system must notify antivirus when file attachments are opened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15666" + Task = "Windows Peer-to-Peer networking services must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15667" + Task = "Network Bridges must be prohibited in Windows." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15672" + Task = "Event Viewer Events.asp links must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer" ` + -Name "MicrosoftEventVwrDisableLinks" ` + | Select-Object -ExpandProperty "MicrosoftEventVwrDisableLinks" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15674" + Task = "The Internet File Association service must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInternetOpenWith" ` + | Select-Object -ExpandProperty "NoInternetOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15682" + Task = "Attachments must be prevented from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15683" + Task = "File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15684" + Task = "Users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15685" + Task = "Users must be prevented from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15686" + Task = "Nonadministrators must be prevented from applying vendor-signed updates." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "DisableLUAPatching" ` + | Select-Object -ExpandProperty "DisableLUAPatching" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15687" + Task = "Users must not be presented with Privacy and Installation options on first use of Windows Media Player." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "GroupPrivacyAcceptance" ` + | Select-Object -ExpandProperty "GroupPrivacyAcceptance" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15699" + Task = "The Windows Connect Now wizards must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15700" + Task = "Remote access to the Plug and Play interface must be disabled for device installation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings" ` + -Name "AllowRemoteRPC" ` + | Select-Object -ExpandProperty "AllowRemoteRPC" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15701" + Task = "A system restore point must be created when a new device driver is installed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings" ` + -Name "DisableSystemRestore" ` + | Select-Object -ExpandProperty "DisableSystemRestore" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15702" + Task = "An Error Report must not be sent when a generic device driver is installed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings" ` + -Name "DisableSendGenericDriverNotFoundToWER" ` + | Select-Object -ExpandProperty "DisableSendGenericDriverNotFoundToWER" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15703" + Task = "Users must not be prompted to search Windows Update for device drivers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching" ` + -Name "DontPromptForWindowsUpdate" ` + | Select-Object -ExpandProperty "DontPromptForWindowsUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15704" + Task = "Errors in handwriting recognition on tablet PCs must not be reported to Microsoft." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15705" + Task = "Users must be prompted to authenticate on resume from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15706" + Task = "The user must be prompted to authenticate on resume from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15707" + Task = "Remote Assistance log files must be generated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "LoggingEnabled" ` + | Select-Object -ExpandProperty "LoggingEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15718" + Task = "Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15722" + Task = "Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM" ` + -Name "DisableOnline" ` + | Select-Object -ExpandProperty "DisableOnline" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15727" + Task = "Users must be prevented from sharing files in their profiles." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInPlaceSharing" ` + | Select-Object -ExpandProperty "NoInPlaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15991" + Task = "UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15997" + Task = "Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15998" + Task = "Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-15999" + Task = "Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-16000" + Task = "The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEnableSmartCard" ` + | Select-Object -ExpandProperty "fEnableSmartCard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-16008" + Task = "Windows must elevate all applications in User Account Control, not just signed ones." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ValidateAdminCodeSignatures" ` + | Select-Object -ExpandProperty "ValidateAdminCodeSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-16020" + Task = "The Windows Customer Experience Improvement Program must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-16021" + Task = "The Windows Help Experience Improvement Program must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-16048" + Task = "Windows Help Ratings feedback must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoExplicitFeedback" ` + | Select-Object -ExpandProperty "NoExplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21950" + Task = "The service principal name (SPN) target name validation level must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SmbServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SmbServerNameHardeningLevel" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21951" + Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21952" + Task = "NTLM must be prevented from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21953" + Task = "PKU2U authentication using online identities must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21954" + Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21955" + Task = "IPv6 source routing must be configured to the highest protection level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21956" + Task = "IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "TcpMaxDataRetransmissions" ` + | Select-Object -ExpandProperty "TcpMaxDataRetransmissions" + + if (($regValue -gt 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21960" + Task = "Domain users must be required to elevate when setting a networks location." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21961" + Task = "All Direct Access traffic must be routed through the internal network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "Force_Tunneling" ` + | Select-Object -ExpandProperty "Force_Tunneling" + + if ($regValue -ne "Enabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Enabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21963" + Task = "Windows Update must be prevented from searching for point and print drivers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DoNotInstallCompatibleDriverFromWindowsUpdate" ` + | Select-Object -ExpandProperty "DoNotInstallCompatibleDriverFromWindowsUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21964" + Task = "Device metadata retrieval from the Internet must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21965" + Task = "Device driver searches using Windows Update must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching" ` + -Name "SearchOrderConfig" ` + | Select-Object -ExpandProperty "SearchOrderConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21967" + Task = "Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21969" + Task = "Access to Windows Online Troubleshooting Service (WOTS) must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "EnableQueryRemoteServer" ` + | Select-Object -ExpandProperty "EnableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21970" + Task = "Responsiveness events must be prevented from being aggregated and sent to Microsoft." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21971" + Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21973" + Task = "Autoplay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-21980" + Task = "Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-22692" + Task = "The default Autorun behavior must be configured to prevent Autorun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-2374" + Task = "Autoplay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26283" + Task = "Anonymous enumeration of SAM accounts must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26359" + Task = "The Windows dialog box title for the legal banner must be configured." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -ne "See message title options below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message title options below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26575" + Task = "The 6to4 IPv6 transition technology must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "6to4_State" ` + | Select-Object -ExpandProperty "6to4_State" + + if ($regValue -ne "Disabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Disabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26576" + Task = "The IP-HTTPS IPv6 transition technology must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface" ` + -Name "IPHTTPS_ClientState" ` + | Select-Object -ExpandProperty "IPHTTPS_ClientState" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26577" + Task = "The ISATAP IPv6 transition technology must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "ISATAP_State" ` + | Select-Object -ExpandProperty "ISATAP_State" + + if ($regValue -ne "Disabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Disabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26578" + Task = "The Teredo IPv6 transition technology must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" ` + -Name "Teredo_State" ` + | Select-Object -ExpandProperty "Teredo_State" + + if ($regValue -ne "Disabled") { + return @{ + Message = "Registry value is '$regValue'. Expected: Disabled" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26579" + Task = "The Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26580" + Task = "The Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26581" + Task = "The Setup event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-26582" + Task = "The System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-28504" + Task = "Windows must be prevented from sending an error report when a device driver requests additional software during installation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings" ` + -Name "DisableSendRequestAdditionalSoftwareToWER" ` + | Select-Object -ExpandProperty "DisableSendRequestAdditionalSoftwareToWER" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3343" + Task = "Solicited Remote Assistance must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3344" + Task = "Local accounts with blank passwords must be restricted to prevent access from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3373" + Task = "The maximum age for machine account passwords must be set to requirements." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3374" + Task = "The system must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3377" + Task = "The system must be configured to prevent anonymous users from having the same rights as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3378" + Task = "The system must be configured to use the Classic security model." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3379" + Task = "The system must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3381" + Task = "The system must be configured to the required LDAP client signing level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3382" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3383" + Task = "The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3385" + Task = "The system must be configured to require case insensitivity for non-Windows subsystems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3449" + Task = "Remote Desktop Services must limit users to one remote session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser " ` + | Select-Object -ExpandProperty "fSingleSessionPerUser " + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3453" + Task = "Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3454" + Task = "Remote Desktop Services must be configured with the client connection encryption set to the required level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3455" + Task = "Remote Desktop Services must be configured to use session-specific temporary folders." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3456" + Task = "Remote Desktop Services must delete temporary folders when a session is terminated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3470" + Task = "The system must be configured to prevent unsolicited remote assistance offers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3479" + Task = "The system must be configured to use Safe DLL Search Mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3480" + Task = "Windows Media Player must be configured to prevent automatic checking for updates." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "DisableAutoupdate" ` + | Select-Object -ExpandProperty "DisableAutoupdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3481" + Task = "Media Player must be configured to prevent automatic Codec downloads." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-34974" + Task = "The Windows Installer Always install with elevated privileges option must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36439" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36656" + Task = "A screen saver must be enabled on the system." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaveActive" ` + | Select-Object -ExpandProperty "ScreenSaveActive" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36657" + Task = "The screen saver must be password protected." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop" ` + -Name "ScreenSaverIsSecure" ` + | Select-Object -ExpandProperty "ScreenSaverIsSecure" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-3666" + Task = "The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36673" + Task = "IP stateless autoconfiguration limits state must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableIPAutoConfigurationLimits" ` + | Select-Object -ExpandProperty "EnableIPAutoConfigurationLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36677" + Task = "Optional component installation and component repair must be prevented from using Windows Update." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing" ` + -Name "UseWindowsUpdate" ` + | Select-Object -ExpandProperty "UseWindowsUpdate" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36678" + Task = "Device driver updates must only search managed servers, not Windows Update." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching" ` + -Name "DriverServerSelection" ` + | Select-Object -ExpandProperty "DriverServerSelection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36679" + Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36680" + Task = "Access to the Windows Store must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoUseStoreOpenWith" ` + | Select-Object -ExpandProperty "NoUseStoreOpenWith" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36681" + Task = "Copying of user input methods to the system account for sign-in must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36684" + Task = "Local users on domain-joined computers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36687" + Task = "App notifications on the lock screen must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36696" + Task = "The detection of compatibility issues for applications and drivers must be turned off." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisablePcaUI" ` + | Select-Object -ExpandProperty "DisablePcaUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36697" + Task = "Trusted app installation must be enabled to allow for signed enterprise line of business apps." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx" ` + -Name "AllowAllTrustedApps" ` + | Select-Object -ExpandProperty "AllowAllTrustedApps" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36698" + Task = "The use of biometrics must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36700" + Task = "The password reveal button must not be displayed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36709" + Task = "Basic authentication for RSS feeds over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36710" + Task = "Automatic download of updates from the Windows Store must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "AutoDownload" ` + | Select-Object -ExpandProperty "AutoDownload" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36711" + Task = "The Windows Store application must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" ` + -Name "RemoveWindowsStore" ` + | Select-Object -ExpandProperty "RemoveWindowsStore" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36712" + Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36713" + Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36714" + Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36718" + Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36719" + Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36720" + Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36773" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36776" + Task = "Notifications from Windows Push Network Service must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-36777" + Task = "Toast notifications to the lock screen must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-40204" + Task = "Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "RedirectOnlyDefaultClientPrinter" ` + | Select-Object -ExpandProperty "RedirectOnlyDefaultClientPrinter" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4108" + Task = "The system must generate an audit event when the audit log reaches a percentage of full threshold." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4110" + Task = "The system must be configured to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4111" + Task = "The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4112" + Task = "The system must be configured to disable the Internet Router Discovery Protocol (IRDP)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4113" + Task = "The system must be configured to limit how often keep-alive packets are sent." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if (($regValue -gt 300000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4116" + Task = "The system must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-43238" + Task = "The display of slide shows on the lock screen must be disabled (Windows 2012 R2)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-43239" + Task = "Windows 2012 R2 must include command line data in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-43240" + Task = "The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-43241" + Task = "The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-43245" + Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4438" + Task = "The system must limit how many times unacknowledged TCP data is retransmitted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "TcpMaxDataRetransmissions" ` + | Select-Object -ExpandProperty "TcpMaxDataRetransmissions" + + if (($regValue -gt 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4447" + Task = "The Remote Desktop Session Host must require secure RPC communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-4448" + Task = "Group Policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-57639" + Task = "Users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-6831" + Task = "Outgoing secure channel traffic must be encrypted or signed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-6832" + Task = "The Windows SMB client must be configured to always perform SMB packet signing." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-6833" + Task = "The Windows SMB server must be configured to always perform SMB packet signing." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-6834" + Task = "Anonymous access to Named Pipes and Shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-72753" + Task = "WDigest Authentication must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73519" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73523" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-80475" + Task = "PowerShell script block logging must be enabled on Windows 2012/2012 R2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..422bbfd --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies.ps1 @@ -0,0 +1,283 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 15) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..da2f9f0 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies.ps1 @@ -0,0 +1,2036 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..1c8d782 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings.ps1 @@ -0,0 +1,12380 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$avstatus = CheckForActiveAV +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "vulnerablechannelallowlist" ` + | Select-Object -ExpandProperty "vulnerablechannelallowlist" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.4" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.5" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if ($regValue -le 0 -or $regValue -gt 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -gt 900 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if ($regValue -gt 14 -or $regValue -lt 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if ($regValue -gt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +$CARoleStatus = (Get-WindowsFeature -Name ADCS-Cert-Authority).Installed +$WINSStatus = (Get-WindowsFeature -Name WINS).Installed +[AuditTest] @{ + Id = "2.3.10.9 A" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' [WINS Role Feature and CA Role Service NOT installed]" + Test = { + try { + if (($CARoleStatus -or $WINSStatus) -eq $true){ + return @{ + Message = "WINS Role Feature or CA Role Service are installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 B" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [CA Role Service installed]" + Test = { + try { + if ($CARoleStatus -eq $false){ + return @{ + Message = "CA Role Service NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 C" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature installed]" + Test = { + try { + if ($WINSStatus -eq $false){ + return @{ + Message = "WINS Role Feature NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "AuditNTLMInDomain" ` + | Select-Object -ExpandProperty "AuditNTLMInDomain" + + if ($regValue -ne 7) { + return @{ + Message = "Registry value is '$regValue'. Expected: 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.13" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 1 - 'Audit all' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if ($regValue -lt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if ($regValue -gt 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'LSA Protection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if ($regValue -gt 90) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.36.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.40.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.1" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.2" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.3" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.55.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if ($regValue -gt 900000 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.3" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.4" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.62.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if ($regValue -lt 180 -or $regValue -gt 365) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..59b8d27 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions.ps1 @@ -0,0 +1,133 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#UserRights.ps1 new file mode 100644 index 0000000..94e1a2f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-CIS-3.0.0#UserRights.ps1 @@ -0,0 +1,1984 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators [Hyper-V-Feature NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + if ($null -eq (Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V)) { + return @{ + Status = "None" + Message = "Hyper-V not installed." + } + } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-114" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($null -eq (Get-Module -Name ADFS)) { +[AuditTest] @{ + Id = "2.2.31 A" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.31 B" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016" + "S-1-5-80-2246541699-21809830-3603976364-117610243-975697593" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ((Get-WindowsFeature -Name web-server).installed -ne $true) { +[AuditTest] @{ + Id = "2.2.33 A" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.33 B" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-32-568" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.43" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.49" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-1.12#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-1.12#UserRights.ps1 new file mode 100644 index 0000000..2af5d78 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-1.12#UserRights.ps1 @@ -0,0 +1,71 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies.ps1 new file mode 100644 index 0000000..a500d49 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "V-73309" + Task = "Windows 2016 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73311" + Task = "Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73313" + Task = "Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73315" + Task = "Windows Server 2016 password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73317" + Task = "Windows Server 2016 maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -eq 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73319" + Task = "Windows Server 2016 minimum password age must be configured to at least one day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -eq 0)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73321" + Task = "Windows Server 2016 minimum password length must be configured to 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73323" + Task = "Windows Server 2016 must have the built-in Windows password complexity policy enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73325" + Task = "Windows Server 2016 reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies.ps1 new file mode 100644 index 0000000..52d25bf --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies.ps1 @@ -0,0 +1,1502 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "V-73413 + V-73415" + Task = "Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes. Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73417" + Task = "Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes." + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73419" + Task = "Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73423" + Task = "Windows Server 2016 must be configured to audit Account Management - Security Group Management successes." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73427 + V-73429" + Task = "Windows Server 2016 must be configured to audit Account Management - User Account Management successes. Windows Server 2016 must be configured to audit Account Management - User Account Management failures." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73431" + Task = "Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73433" + Task = "Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73435 + V-73437" + Task = "Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes. Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures." + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73439 + V-73441" + Task = "Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes. Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures." + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73443 + V-73445" + Task = "Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes. Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73447" + Task = "Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73449" + Task = "Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73451 + V-73453" + Task = "Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes. Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73455" + Task = "Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73457 + V-73459" + Task = "Windows Server 2016 must be configured to audit Object Access - Removable Storage successes. Windows Server 2016 must be configured to audit Object Access - Removable Storage failures." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73461 + V-73463" + Task = "Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes. Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73465" + Task = "Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73467" + Task = "Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73469 + V-73471" + Task = "Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes. Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73473 + V-73475" + Task = "Windows Server 2016 must be configured to audit System - IPsec Driver successes. Windows Server 2016 must be configured to audit System - IPsec Driver failures." + Test = { + # Get the audit policy for the subcategory IPsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73477 + V-73479" + Task = "Windows Server 2016 must be configured to audit System - Other System Events successes. Windows Server 2016 must be configured to audit System - Other System Events failures." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73481" + Task = "Windows Server 2016 must be configured to audit System - Security State Change successes." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73483" + Task = "Windows Server 2016 must be configured to audit System - Security System Extension successes." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-73489 + V-73491" + Task = "Windows Server 2016 must be configured to audit System - System Integrity successes. Windows Server 2016 must be configured to audit System - System Integrity failures." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-90359 + V-90361" + Task = "Windows 2016 must be configured to audit Object Access - Other Object Access Events successes. Windows 2016 must be configured to audit Object Access - Other Object Access Events failures." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings.ps1 new file mode 100644 index 0000000..db36dd7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings.ps1 @@ -0,0 +1,3437 @@ +[AuditTest] @{ + Id = "V-73487" + Task = "Administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73493" + Task = "The display of slide shows on the lock screen must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73495" + Task = "Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73497" + Task = "WDigest Authentication must be disabled on Windows Server 2016." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73499" + Task = "Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73501" + Task = "Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73503" + Task = "Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73505" + Task = "Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73507" + Task = "Insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73511" + Task = "Command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73521" + Task = "Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if (($regValue -ne 1) -and ($regValue -ne 3) -and ($regValue -ne 8)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3 or x == 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73525" + Task = "Group Policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73527" + Task = "Downloading print driver packages over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73529" + Task = "Printing over HTTP must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73531" + Task = "The network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73533" + Task = "Local users on domain-joined computers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73537" + Task = "Users must be prompted to authenticate when the system wakes from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73539" + Task = "Users must be prompted to authenticate when the system wakes from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73541" + Task = "Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73543" + Task = "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73545" + Task = "AutoPlay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73547" + Task = "The default AutoRun behavior must be configured to prevent AutoRun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73549" + Task = "AutoPlay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73553" + Task = "The Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73555" + Task = "The Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73557" + Task = "The System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73559" + Task = "Windows Server 2016 Windows SmartScreen must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73561" + Task = "Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73563" + Task = "Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73565" + Task = "File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73567" + Task = "Passwords must not be saved in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73569" + Task = "Local drives must be prevented from sharing with Remote Desktop Session Hosts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73571" + Task = "Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73573" + Task = "The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73575" + Task = "Remote Desktop Services must be configured with the client connection encryption set to High Level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73577" + Task = "Attachments must be prevented from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73579" + Task = "Basic authentication for RSS feeds over HTTP must not be used." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73581" + Task = "Indexing of encrypted files must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73583" + Task = "Users must be prevented from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73585" + Task = "The Windows Installer Always install with elevated privileges option must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73587" + Task = "Users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73589" + Task = "Automatically signing in the last interactive user after a system-initiated restart must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73591" + Task = "PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73593" + Task = "The Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73595" + Task = "The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73597" + Task = "The Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73599" + Task = "The Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73601" + Task = "The Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73603" + Task = "The Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73621" + Task = "Local accounts with blank passwords must be restricted to prevent access from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73627" + Task = "Audit policy using subcategories must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73629" + Task = "Domain controllers must require LDAP access signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73631" + Task = "Domain controllers must be configured to allow reset of machine account passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73633" + Task = "The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73635" + Task = "The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73637" + Task = "The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73639" + Task = "The computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73641" + Task = "The maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73643" + Task = "Windows Server 2016 must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73645" + Task = "The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73647" + Task = "The required legal notice must be configured to display before console logon." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -ne "See message text below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message text below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73649" + Task = "The Windows dialog box title for the legal banner must be configured with the appropriate text." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -ne "See message title options below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message title options below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73653" + Task = "The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-73655" + Task = "The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-73657" + Task = "Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73661" + Task = "The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-73663" + Task = "The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-73667" + Task = "Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73669" + Task = "Anonymous enumeration of shares must not be allowed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73673" + Task = "Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73675" + Task = "Anonymous access to Named Pipes and Shares must be restricted." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73677" + Task = "Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73679" + Task = "Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73681" + Task = "NTLM must be prevented from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73683" + Task = "PKU2U authentication using online identities must be prevented." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73685" + Task = "Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73687" + Task = "Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73691" + Task = "The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73693" + Task = "Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73695" + Task = "Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73697" + Task = "Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73699" + Task = "Users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73701" + Task = "Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73705" + Task = "The default permissions of global system objects must be strengthened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73707" + Task = "User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73709" + Task = "UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73713" + Task = "User Account Control must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73715" + Task = "User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73717" + Task = "User Account Control must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73719" + Task = "User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73721" + Task = "User Account Control must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73727" + Task = "Zone information must be preserved when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-78123" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-78125" + Task = "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions.ps1 new file mode 100644 index 0000000..0fb03a1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions.ps1 @@ -0,0 +1,104 @@ +[AuditTest] @{ + Id = "V-73623" + Task = "Windows Server 2016 built-in administrator account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73625" + Task = "Windows Server 2016 built-in guest account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73665" + Task = "Anonymous SID/Name translation must not be allowed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-73809" + Task = "Windows Server 2016 built-in guest account must be disabled." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies.ps1 new file mode 100644 index 0000000..dab2b4d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "AccountPolicy-001" + Task = "Ensure 'MinimumPasswordAge' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-002" + Task = "Ensure 'MaximumPasswordAge' is set to '60'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 60) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: 60" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-003" + Task = "Ensure 'MinimumPasswordLength' is set to '14'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 14) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-004" + Task = "Ensure 'PasswordComplexity' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-005" + Task = "Ensure 'PasswordHistorySize' is set to '24'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-006" + Task = "Ensure 'LockoutBadCount' is set to '10'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 10) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-007" + Task = "Ensure 'ResetLockoutCount' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-008" + Task = "Ensure 'LockoutDuration' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-009" + Task = "Ensure 'ClearTextPassword' is set to '0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies.ps1 new file mode 100644 index 0000000..6ef132e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies.ps1 @@ -0,0 +1,1274 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "AuditPolicy-001" + Task = "Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-002" + Task = "Ensure 'Other Account Management Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-003" + Task = "Ensure 'Security Group Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-004" + Task = "Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-005" + Task = "Ensure 'PNP Activity' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-006" + Task = "Ensure 'Process Creation' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-007" + Task = "Ensure 'Account Lockout' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-008" + Task = "Ensure 'Group Membership' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-009" + Task = "Ensure 'Logoff' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-010" + Task = "Ensure 'Logon' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-011" + Task = "Ensure 'Special Logon' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-012" + Task = "Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-013" + Task = "Ensure 'Audit Policy Change' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-014" + Task = "Ensure 'Authentication Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-015" + Task = "Ensure 'Authorization Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-016" + Task = "Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-017" + Task = "Ensure 'IPsec Driver' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory IPsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-018" + Task = "Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-019" + Task = "Ensure 'Security State Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-020" + Task = "Ensure 'Security System Extension' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-021" + Task = "Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings.ps1 new file mode 100644 index 0000000..b3ef92d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings.ps1 @@ -0,0 +1,3658 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "Registry-001" + Task = "Ensure 'Turn off Autoplay' is set to 'All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-002" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-003" + Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-004" + Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-005" + Task = "Set registry value 'EnhancedAntiSpoofing' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-006" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-007" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-008" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-009" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-010" + Task = "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-011" + Task = "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-012" + Task = "Ensure 'Configure registry policy processing' is set to '0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-013" + Task = "Ensure 'Configure registry policy processing' is set to '0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-014" + Task = "Set registry value 'AlwaysInstallElevated' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-015" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-016" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-017" + Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-018" + Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -notmatch "^(?:RequireMutualAuthentication=1,\s*RequireIntegrity=1|RequireIntegrity=1,\s*RequireMutualAuthentication=1)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: RequireMutualAuthentication=1, RequireIntegrity=1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-019" + Task = "Set registry value 'NoLockScreenCamera' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-020" + Task = "Set registry value 'NoLockScreenSlideshow' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-021" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-022" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockInvocationLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-023" + Task = "Ensure 'Do not display network selection UI' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-024" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-025" + Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-026" + Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-027" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-028" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-029" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-030" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-031" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-032" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-033" + Task = "Set registry value 'MitigationOptions_FontBocking' to 1000000000000." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\MitigationOptions" ` + -Name "MitigationOptions_FontBocking" ` + | Select-Object -ExpandProperty "MitigationOptions_FontBocking" + + if ($regValue -ne "1000000000000") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1000000000000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-034" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-035" + Task = "Set registry value 'DisablePasswordSaving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-036" + Task = "Set registry value 'fDisableCdm' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-037" + Task = "Set registry value 'fPromptForPassword' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-038" + Task = "Set registry value 'fEncryptRPCTraffic' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-039" + Task = "Set registry value 'MinEncryptionLevel' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-041" + Task = "Domain: Set registry value 'DefaultOutboundAction' to 0." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-042" + Task = "Domain: Set registry value 'DefaultInboundAction' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-043" + Task = "Domain: Set registry value 'EnableFirewall' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-044" + Task = "Private: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-045" + Task = "Private: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-046" + Task = "Private: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-047" + Task = "Public: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-048" + Task = "Public: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-049" + Task = "Public: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-050" + Task = "Set registry value 'AdmPwdEnabled' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-051" + Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-052" + Task = "Set registry value 'DriverLoadPolicy' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-053" + Task = "Set registry value 'NoNameReleaseOnDemand' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-054" + Task = "Set registry value 'EnableICMPRedirect' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-055" + Task = "Set registry value 'DisableIPSourceRouting' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-056" + Task = "Set registry value 'DisableIPSourceRouting' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-057" + Task = "Set registry value 'allownullsessionfallback' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-058" + Task = "Set registry value 'UseMachineId' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-059" + Task = "Set registry value 'InactivityTimeoutSecs' to 900." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-060" + Task = "Set registry value 'ScRemoveOption' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-061" + Task = "Set registry value 'autodisconnect' to 15." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "autodisconnect" ` + | Select-Object -ExpandProperty "autodisconnect" + + if ($regValue -ne 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-062" + Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-063" + Task = "Set registry value 'EnableVirtualization' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-064" + Task = "Set registry value 'FilterAdministratorToken' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-065" + Task = "Set registry value 'EnableLUA' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-066" + Task = "Set registry value 'EnableInstallerDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-067" + Task = "Set registry value 'EnableUIADesktopToggle' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-068" + Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-069" + Task = "Set registry value 'ConsentPromptBehaviorUser' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-070" + Task = "Set registry value 'EnableSecureUIAPaths' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-071" + Task = "Set registry value 'LDAPClientIntegrity' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-072" + Task = "Set registry value 'LmCompatibilityLevel' to 5." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-073" + Task = "Set registry value 'EveryoneIncludesAnonymous' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-074" + Task = "Set registry value 'enablesecuritysignature' to 1." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-075" + Task = "Set registry value 'NTLMMinClientSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-076" + Task = "Set registry value 'sealsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "sealsecurechannel" ` + | Select-Object -ExpandProperty "sealsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-077" + Task = "Set registry value 'EnableSecuritySignature' to 1." + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-078" + Task = "Set registry value 'NTLMMinServerSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-079" + Task = "Set registry value 'requiresignorseal' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requiresignorseal" ` + | Select-Object -ExpandProperty "requiresignorseal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-080" + Task = "Set registry value 'signsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "signsecurechannel" ` + | Select-Object -ExpandProperty "signsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-081" + Task = "Set registry value 'RequireSecuritySignature' to 1." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-082" + Task = "Set registry value 'requiresecuritysignature' to 1." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-083" + Task = "Set registry value 'requirestrongkey' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requirestrongkey" ` + | Select-Object -ExpandProperty "requirestrongkey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-084" + Task = "Set registry value 'RestrictAnonymousSAM' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-085" + Task = "Set registry value 'RestrictNullSessAccess' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-086" + Task = "Set registry value 'ObCaseInsensitive' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-087" + Task = "Set registry value 'RestrictAnonymous' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-088" + Task = "Set registry value 'ProtectionMode' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-089" + Task = "Set registry value 'LimitBlankPasswordUse' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-090" + Task = "Set registry value 'maximumpasswordage' to 30." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "maximumpasswordage" ` + | Select-Object -ExpandProperty "maximumpasswordage" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-091" + Task = "Set registry value 'disablepasswordchange' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "disablepasswordchange" ` + | Select-Object -ExpandProperty "disablepasswordchange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-092" + Task = "Set registry value 'NoLMHash' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-093" + Task = "Set registry value 'EnablePlainTextPassword' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-094" + Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-095" + Task = "Ensure 'Turn off Windows Defender' is set to 'Disabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-096" + Task = "Ensure 'Turn on behavior monitoring' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-097" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-098" + Task = "Ensure 'Turn on e-mail scanning' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-099" + Task = "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-100" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-101" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-102" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-103" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot and DMA Protection'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-104" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-105" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#UserRights.ps1 new file mode 100644 index 0000000..21afa41 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2016-Microsoft-FINAL#UserRights.ps1 @@ -0,0 +1,1031 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "UserRight-001" + Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-002" + Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-003" + Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-004" + Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-005" + Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-006" + Task = "Ensure 'SeDenyInteractiveLogonRight' is set to 'S-1-5-32-546'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-007" + Task = "Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-008" + Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-009" + Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-010" + Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-20" + "S-1-5-19" + "S-1-5-6" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-011" + Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-012" + Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-013" + Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-014" + Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-015" + Task = "Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-016" + Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-017" + Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-018" + Task = "Ensure 'SeNetworkLogonRight' is set to 'S-1-5-11, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-019" + Task = "Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-020" + Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114, S-1-5-32-546'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-114" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-021" + Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-20" + "S-1-5-19" + "S-1-5-6" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-022" + Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-023" + Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-024" + Task = "Ensure 'SeTcbPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-025" + Task = "Ensure 'SeAuditPrivilege' is set to 'S-1-5-20, S-1-5-19'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-20" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-026" + Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-027" + Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-32-546, S-1-5-113'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..d00b68c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies.ps1 @@ -0,0 +1,283 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 1) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 14) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 15 -or $setPolicy -gt 99999) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 5 -or $setPolicy -le 0) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 99999 -or $setPolicy -lt 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..da2f9f0 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies.ps1 @@ -0,0 +1,2036 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..eb0281c --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings.ps1 @@ -0,0 +1,12919 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "vulnerablechannelallowlist" ` + | Select-Object -ExpandProperty "vulnerablechannelallowlist" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.4" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.5" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if ($regValue -le 0 -or $regValue -gt 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -gt 900 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if ($regValue -gt 14 -or $regValue -lt 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if ($regValue -gt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +$CARoleStatus = (Get-WindowsFeature -Name ADCS-Cert-Authority).Installed +$WINSStatus = (Get-WindowsFeature -Name WINS).Installed +[AuditTest] @{ + Id = "2.3.10.9 A" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' [WINS Role Feature and CA Role Service NOT installed]" + Test = { + try { + if (($CARoleStatus -or $WINSStatus) -eq $true){ + return @{ + Message = "WINS Role Feature or CA Role Service are installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 B" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [CA Role Service installed]" + Test = { + try { + if ($CARoleStatus -eq $false){ + return @{ + Message = "CA Role Service NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 C" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature installed]" + Test = { + try { + if ($WINSStatus -eq $false){ + return @{ + Message = "WINS Role Feature NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "AuditNTLMInDomain" ` + | Select-Object -ExpandProperty "AuditNTLMInDomain" + + if ($regValue -ne 7) { + return @{ + Message = "Registry value is '$regValue'. Expected: 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.13" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 1 - 'Audit all' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'LSA Protection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.9" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if ($regValue -gt 90) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' or 0 - 'Enabled: Disable NetBIOS name resolution'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if ($regValue -ne 2 -and $regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "Require Privacy") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "Require Privacy") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($null -eq $regValue -or $regValue -gt 3 -or $regValue -lt 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1-3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if ($regValue -ne 0 -and $regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -ne 1 -and $regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configure password backup directory' is set to 2 - 'Enabled: Active Directory' or 1 - 'Enabled: Azure Active Directory'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "BackupDirectory" ` + | Select-Object -ExpandProperty "BackupDirectory" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.3" + Task = "(L1) Ensure 'Enable password encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "ADPasswordEncryptionEnabled" ` + | Select-Object -ExpandProperty "ADPasswordEncryptionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if ($regValue -lt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if ($regValue -gt 30 -or $regValue -lt 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x >= 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.7" + Task = "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationResetDelay" ` + | Select-Object -ExpandProperty "PostAuthenticationResetDelay" + + if ($regValue -gt 8 -or $regValue -le 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 8 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.8" + Task = "(L1) Ensure 'Post-authentication actions: Actions' is set to 3 - 'Enabled: Reset the password and logoff the managed account' or 5 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationActions" ` + | Select-Object -ExpandProperty "PostAuthenticationActions" + + if ($regValue -ne 3 -and $regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3 or 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if ($regValue -ne 1 -and $regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if ($regValue -ne 0 -and $regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.4" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -lt 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.36.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.40.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } +} +} +[AuditTest] @{ + Id = "18.10.42.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.1" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.2" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.3" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.55.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.1" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.2" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.3" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.4" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if ($regValue -gt 900000 -or $regValue -eq 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.3" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.4" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.62.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1 -and $regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if ($regValue -lt 180 -or $regValue -gt 365) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..59b8d27 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions.ps1 @@ -0,0 +1,133 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#UserRights.ps1 new file mode 100644 index 0000000..1871ea1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-CIS-3.0.0#UserRights.ps1 @@ -0,0 +1,1979 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators [Hyper-V-Feature NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-114" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +$adfsModule = Get-Module -Name ADFS +if($null -eq $adfsModule){ +[AuditTest] @{ + Id = "2.2.31 A" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.31 B" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016" + "S-1-5-80-2246541699-21809830-3603976364-117610243-975697593" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if((Get-WindowsFeature -Name web-server).installed -ne $true){ +[AuditTest] @{ + Id = "2.2.33 A" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.33 B" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-32-568" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.43" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.49" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AccountPolicies.ps1 new file mode 100644 index 0000000..66c37d2 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "V-93141" + Task = "Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93143" + Task = "Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93145" + Task = "Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15) -and ($setPolicy -ne 0)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93459" + Task = "Windows Server 2019 must have the built-in Windows password complexity policy enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93463" + Task = "Windows Server 2019 minimum password length must be configured to 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93465" + Task = "Windows Server 2019 reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93471" + Task = "Windows Server 2019 minimum password age must be configured to at least one day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -eq 0)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93477" + Task = "Windows Server 2019 maximum password age must be configured to 60 days or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -eq 0)) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93479" + Task = "Windows Server 2019 password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AuditPolicies.ps1 new file mode 100644 index 0000000..40d639d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#AuditPolicies.ps1 @@ -0,0 +1,1502 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "V-92967 + V-92969" + Task = "Windows Server 2019 must be configured to audit logon successes. Windows Server 2019 must be configured to audit logon failures." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-92979" + Task = "Windows Server 2019 must be configured to audit Account Management - Security Group Management successes." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-92981 + V-92983" + Task = "Windows Server 2019 must be configured to audit Account Management - User Account Management successes. Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-92985" + Task = "Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-92987 + V-92989" + Task = "Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes. Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93089" + Task = "Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93091" + Task = "Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93093 + V-93095" + Task = "Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes. Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93097" + Task = "Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93099" + Task = "Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93101 + V-93103" + Task = "Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes. Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93105 + V-93107" + Task = "Windows Server 2019 must be configured to audit System - IPsec Driver successes. Windows Server 2019 must be configured to audit System - IPsec Driver failures." + Test = { + # Get the audit policy for the subcategory IPsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93109 + V-93111" + Task = "Windows Server 2019 must be configured to audit System - Other System Events successes. Windows Server 2019 must be configured to audit System - Other System Events failures." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93113" + Task = "Windows Server 2019 must be configured to audit System - Security State Change successes." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93115" + Task = "Windows Server 2019 must be configured to audit System - Security System Extension successes." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93117 + V-93119" + Task = "Windows Server 2019 must be configured to audit System - System Integrity successes. Windows Server 2019 must be configured to audit System - System Integrity failures." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93133 + V-93135" + Task = "Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes. Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93137 + V-93139" + Task = "Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes. Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93153 + V-93155" + Task = "Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes. Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93157" + Task = "Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93159" + Task = "Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93161" + Task = "Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93163 + V-93165" + Task = "Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes. Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93167 + V-93169" + Task = "Windows Server 2019 must be configured to audit Object Access - Removable Storage successes. Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-93171" + Task = "Windows Server 2019 must be configured to audit logoff successes." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#RegistrySettings.ps1 new file mode 100644 index 0000000..ae129c1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#RegistrySettings.ps1 @@ -0,0 +1,3482 @@ +[AuditTest] @{ + Id = "V-92961" + Task = "Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-92971" + Task = "Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-92973" + Task = "Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93045" + Task = "Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93147" + Task = "Windows Server 2019 required legal notice must be configured to display before console logon." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -ne "See message text below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message text below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93149" + Task = "Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -ne "See message title options below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message title options below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93151" + Task = "Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93173" + Task = "Windows Server 2019 command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93175" + Task = "Windows Server 2019 PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93177" + Task = "Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93179" + Task = "Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93181" + Task = "Windows Server 2019 System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93199" + Task = "Windows Server 2019 must prevent users from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93201" + Task = "Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93233" + Task = "Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93235" + Task = "Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93237" + Task = "Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93239" + Task = "Windows Server 2019 insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93243" + Task = "Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93249" + Task = "Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if (($regValue -ne 1) -and ($regValue -ne 3) -and ($regValue -ne 8)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3 or x == 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93251" + Task = "Windows Server 2019 group policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93253" + Task = "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93255" + Task = "Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93261" + Task = "Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93263" + Task = "Windows Server 2019 File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93265" + Task = "Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93267" + Task = "Windows Server 2019 users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93269" + Task = "Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93273" + Task = "Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93279" + Task = "Windows Server 2019 must prevent local accounts with blank passwords from being used from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93285" + Task = "Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93291" + Task = "Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93293" + Task = "Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93295" + Task = "Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93297" + Task = "Windows Server 2019 must prevent NTLM from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93299" + Task = "Windows Server 2019 must prevent PKU2U authentication using online identities." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93301" + Task = "Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93303" + Task = "Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93305" + Task = "Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93307" + Task = "Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93309" + Task = "Windows Server 2019 default permissions of global system objects must be strengthened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93311" + Task = "Windows Server 2019 must preserve zone information when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93373" + Task = "Windows Server 2019 Autoplay must be turned off for non-volume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93375" + Task = "Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93377" + Task = "Windows Server 2019 AutoPlay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93393" + Task = "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93395" + Task = "Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93399" + Task = "Windows Server 2019 must prevent the display of slide shows on the lock screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93401" + Task = "Windows Server 2019 must have WDigest Authentication disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93403" + Task = "Windows Server 2019 downloading print driver packages over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93405" + Task = "Windows Server 2019 printing over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93407" + Task = "Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93409" + Task = "Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93411" + Task = "Windows Server 2019 Windows Defender SmartScreen must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93413" + Task = "Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93415" + Task = "Windows Server 2019 must prevent Indexing of encrypted files." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93419" + Task = "Windows Server 2019 local users on domain-joined member servers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93425" + Task = "Windows Server 2019 must not save passwords in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93427" + Task = "Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93429" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93431" + Task = "Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93433" + Task = "Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93435" + Task = "Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93453" + Task = "Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Standalone Workstation", "Member Workstation", "Standalone Server", "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93455" + Task = "Windows Server 2019 computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93467" + Task = "Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93469" + Task = "Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93493" + Task = "Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93495" + Task = "Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93499" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93501" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93503" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93505" + Task = "Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93507" + Task = "Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93511" + Task = "Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93517" + Task = "Windows Server 2019 administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93519" + Task = "Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93521" + Task = "Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93525" + Task = "Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93527" + Task = "Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93529" + Task = "Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93533" + Task = "Windows Server 2019 Remote Desktop Services must prevent drive redirection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93537" + Task = "Windows Server 2019 must not allow anonymous enumeration of shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93539" + Task = "Windows Server 2019 must restrict anonymous access to Named Pipes and Shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93541" + Task = "Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93545" + Task = "Windows Server 2019 domain controllers must require LDAP access signing." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93547" + Task = "Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93549" + Task = "Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93551" + Task = "Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93553" + Task = "Windows Server 2019 must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93555" + Task = "Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-93557" + Task = "Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-93559" + Task = "Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-93561" + Task = "Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-93563" + Task = "Windows Server 2019 Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#SecurityOptions.ps1 new file mode 100644 index 0000000..8212e96 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-DISA-V1R5#SecurityOptions.ps1 @@ -0,0 +1,104 @@ +[AuditTest] @{ + Id = "V-93281" + Task = "Windows Server 2019 built-in administrator account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93283" + Task = "Windows Server 2019 built-in guest account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93289" + Task = "Windows Server 2019 must not allow anonymous SID/Name translation." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-93497" + Task = "Windows Server 2019 must have the built-in guest account disabled." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AccountPolicies.ps1 new file mode 100644 index 0000000..dab2b4d --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "AccountPolicy-001" + Task = "Ensure 'MinimumPasswordAge' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-002" + Task = "Ensure 'MaximumPasswordAge' is set to '60'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 60) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: 60" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-003" + Task = "Ensure 'MinimumPasswordLength' is set to '14'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 14) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-004" + Task = "Ensure 'PasswordComplexity' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-005" + Task = "Ensure 'PasswordHistorySize' is set to '24'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-006" + Task = "Ensure 'LockoutBadCount' is set to '10'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 10) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: 10" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-007" + Task = "Ensure 'ResetLockoutCount' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-008" + Task = "Ensure 'LockoutDuration' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 15) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: 15" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-009" + Task = "Ensure 'ClearTextPassword' is set to '0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AuditPolicies.ps1 new file mode 100644 index 0000000..002cdb7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#AuditPolicies.ps1 @@ -0,0 +1,1388 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "AuditPolicy-001" + Task = "Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-002" + Task = "Ensure 'Security Group Management' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-003" + Task = "Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-004" + Task = "Ensure 'PNP Activity' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-005" + Task = "Ensure 'Process Creation' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-006" + Task = "Ensure 'Account Lockout' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-007" + Task = "Ensure 'Group Membership' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-008" + Task = "Ensure 'Logon' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-009" + Task = "Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-010" + Task = "Ensure 'Special Logon' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-011" + Task = "Ensure 'Detailed File Share' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-012" + Task = "Ensure 'File Share' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-013" + Task = "Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-014" + Task = "Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-015" + Task = "Ensure 'Audit Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-016" + Task = "Ensure 'Authentication Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-017" + Task = "Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory MPSSVC Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "MPSSVC Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'MPSSVC Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-018" + Task = "Ensure 'Other Policy Change Events' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-019" + Task = "Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-020" + Task = "Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-021" + Task = "Ensure 'Security State Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-022" + Task = "Ensure 'Security System Extension' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-023" + Task = "Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#RegistrySettings.ps1 new file mode 100644 index 0000000..749400a --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#RegistrySettings.ps1 @@ -0,0 +1,9235 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "Registry-001" + Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-002" + Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-003" + Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-004" + Task = "Set registry value 'CheckExeSignatures' to yes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-005" + Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-006" + Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-007" + Task = "Set registry value 'Isolation' to PMEM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-008" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_DISABLE_MK_PROTOCOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-009" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_DISABLE_MK_PROTOCOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-010" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_DISABLE_MK_PROTOCOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-011" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_MIME_HANDLING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-012" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_MIME_HANDLING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-013" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_MIME_HANDLING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-014" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-015" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-016" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_MIME_SNIFFING)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-017" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-018" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-019" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_RESTRICT_ACTIVEXINSTALL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-020" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-021" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-022" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_RESTRICT_FILEDOWNLOAD)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-023" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_SECURITYBAND)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-024" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_SECURITYBAND)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-025" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_SECURITYBAND)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-026" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-027" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-028" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_WINDOW_RESTRICTIONS)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-029" + Task = "Set registry value '(Reserved)' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-030" + Task = "Set registry value 'explorer.exe' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-031" + Task = "Set registry value 'iexplore.exe' to 1. (FEATURE_ZONE_ELEVATION)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-032" + Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-033" + Task = "Set registry value 'PreventOverride' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-034" + Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-035" + Task = "Set registry value 'NoCrashDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-036" + Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-037" + Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-038" + Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-039" + Task = "Set registry value 'Security_zones_map_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-040" + Task = "Set registry value 'Security_options_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-041" + Task = "Set registry value 'Security_HKLM_only' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-042" + Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-043" + Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-044" + Task = "Set registry value 'WarnOnBadCertRecving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-045" + Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-046" + Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-047" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-048" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-049" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-050" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-051" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-052" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Lockdown_Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-053" + Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-054" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-055" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/0)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-056" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-057" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-058" + Task = "Ensure 'Java permissions' is set to 'High safety'. (Zones/1)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-059" + Task = "Ensure 'Java permissions' is set to 'High safety'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-060" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-061" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/2)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-062" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-063" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-064" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-065" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-066" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-067" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-068" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-069" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-070" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-071" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-072" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-073" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-074" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-075" + Task = "Ensure 'Userdata persistence' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-076" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-077" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-078" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-079" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-080" + Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-081" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-082" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-083" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-084" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-085" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-086" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-087" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-088" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-089" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-090" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-091" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-092" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-093" + Task = "Set registry value '140C' to 3. (Zones/3)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-094" + Task = "Ensure 'Allow META REFRESH' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-095" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-096" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-097" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-098" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-099" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-100" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-101" + Task = "Ensure 'Userdata persistence' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-102" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-103" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-104" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-105" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-106" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-107" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-108" + Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-109" + Task = "Ensure 'Scripting of Java applets' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-110" + Task = "Ensure 'Allow file downloads' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-111" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-112" + Task = "Ensure 'Allow active scripting' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-113" + Task = "Ensure 'Logon options' is set to 'Anonymous logon'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-114" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-115" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-116" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-117" + Task = "Ensure 'Java permissions' is set to 'Disable Java'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-118" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-119" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-120" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-121" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-122" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-123" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-124" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-125" + Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-126" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-127" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-128" + Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-129" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-130" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-131" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-132" + Task = "Set registry value '140C' to 3. (Zones/4)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-133" + Task = "Set registry value 'PUAProtection' to 1." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-134" + Task = "Ensure 'Turn on behavior monitoring' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-135" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-136" + Task = "Ensure 'Turn on e-mail scanning' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-137" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-138" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-139" + Task = "Set registry value 'ExploitGuard_ASR_Rules' to 1." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-140" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-141" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-142" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-143" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-144" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-145" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-146" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-147" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-148" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-149" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-150" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-151" + Task = "Set registry value 'EnableNetworkProtection' to 1." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-161" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-162" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -eq 3) { + return @{ + Message = "Set to 'Secure Boot and DMA Protection' which is more secure." + Status = "True" + } + } + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-163" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. (HypervisorEnforcedCodeIntegrity)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-164" + Task = "Set registry value 'HVCIMATRequired' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-165" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. (LsaCfgFlags)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-166" + Task = "Set registry value 'ConfigureSystemGuardLaunch' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-167" + Task = "Ensure 'Turn off Autoplay' is set to 'All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-168" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-169" + Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-170" + Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-171" + Task = "Set registry value 'AllowEncryptionOracle' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-172" + Task = "Set registry value 'EnhancedAntiSpoofing' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-173" + Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-174" + Task = "Set registry value 'AllowProtectedCreds' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-175" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-176" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-177" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-178" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-179" + Task = "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-180" + Task = "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-181" + Task = "Ensure 'Configure registry policy processing' is set to '0'. (NoBackgroundPolicy)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-182" + Task = "Ensure 'Configure registry policy processing' is set to '0'. (NoGPOListChanges)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-183" + Task = "Set registry value 'AlwaysInstallElevated' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-184" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-185" + Task = "Set registry value 'DeviceEnumerationPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-186" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-187" + Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-188" + Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-189" + Task = "Set registry value 'NoLockScreenCamera' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-190" + Task = "Set registry value 'NoLockScreenSlideshow' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-191" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-192" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockInvocationLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-193" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-194" + Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-195" + Task = "Set registry value 'ShellSmartScreenLevel' to Block." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-196" + Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-197" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'. (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-198" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-199" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'. (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-200" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-201" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-202" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-203" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-204" + Task = "Set registry value 'DisablePasswordSaving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-205" + Task = "Set registry value 'fDisableCdm' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-206" + Task = "Set registry value 'fPromptForPassword' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-207" + Task = "Set registry value 'fEncryptRPCTraffic' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-208" + Task = "Set registry value 'MinEncryptionLevel' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-210" + Task = "Set registry value 'DefaultOutboundAction' to 0. (DomainProfile)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-211" + Task = "Set registry value 'DefaultInboundAction' to 1. (DomainProfile)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-212" + Task = "Set registry value 'EnableFirewall' to 1. (DomainProfile)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-213" + Task = "Set registry value 'EnableFirewall' to 1. (PrivateProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-214" + Task = "Set registry value 'DefaultInboundAction' to 1. (PrivateProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-215" + Task = "Set registry value 'DefaultOutboundAction' to 0. (PrivateProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-216" + Task = "Set registry value 'EnableFirewall' to 1. (PublicProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-217" + Task = "Set registry value 'DefaultOutboundAction' to 0. (PublicProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-218" + Task = "Set registry value 'DefaultInboundAction' to 1. (PublicProfile)" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-219" + Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-220" + Task = "Set registry value 'AdmPwdEnabled' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-221" + Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-222" + Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-223" + Task = "Set registry value 'DriverLoadPolicy' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-224" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-225" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-226" + Task = "Set registry value 'NoNameReleaseOnDemand' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-227" + Task = "Set registry value 'EnableICMPRedirect' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-228" + Task = "Set registry value 'DisableIPSourceRouting' to 2. (Tcpip)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-229" + Task = "Set registry value 'DisableIPSourceRouting' to 2. (Tcpip6)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-230" + Task = "Set registry value 'allownullsessionfallback' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-231" + Task = "Set registry value 'InactivityTimeoutSecs' to 900." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-232" + Task = "Set registry value 'ScRemoveOption' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-233" + Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-234" + Task = "Set registry value 'EnableVirtualization' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-235" + Task = "Set registry value 'FilterAdministratorToken' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-236" + Task = "Set registry value 'EnableLUA' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-237" + Task = "Set registry value 'EnableInstallerDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-238" + Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-239" + Task = "Set registry value 'ConsentPromptBehaviorUser' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-240" + Task = "Set registry value 'EnableSecureUIAPaths' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-241" + Task = "Set registry value 'LDAPClientIntegrity' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-242" + Task = "Set registry value 'LmCompatibilityLevel' to 5." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-243" + Task = "Set registry value 'NTLMMinClientSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-244" + Task = "Set registry value 'sealsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "sealsecurechannel" ` + | Select-Object -ExpandProperty "sealsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-245" + Task = "Set registry value 'NTLMMinServerSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-246" + Task = "Set registry value 'requiresignorseal' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requiresignorseal" ` + | Select-Object -ExpandProperty "requiresignorseal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-247" + Task = "Set registry value 'signsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "signsecurechannel" ` + | Select-Object -ExpandProperty "signsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-248" + Task = "Set registry value 'RequireSecuritySignature' to 1." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-249" + Task = "Set registry value 'requiresecuritysignature' to 1." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-250" + Task = "Set registry value 'requirestrongkey' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requirestrongkey" ` + | Select-Object -ExpandProperty "requirestrongkey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-251" + Task = "Set registry value 'RestrictAnonymousSAM' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-252" + Task = "Set registry value 'RestrictNullSessAccess' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-253" + Task = "Set registry value 'RestrictAnonymous' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-254" + Task = "Set registry value 'ProtectionMode' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-255" + Task = "Set registry value 'LimitBlankPasswordUse' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-256" + Task = "Set registry value 'maximumpasswordage' to 30." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "maximumpasswordage" ` + | Select-Object -ExpandProperty "maximumpasswordage" + + if ($regValue -ne 30) { + return @{ + Message = "Registry value is '$regValue'. Expected: 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-257" + Task = "Set registry value 'disablepasswordchange' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "disablepasswordchange" ` + | Select-Object -ExpandProperty "disablepasswordchange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-258" + Task = "Set registry value 'NoLMHash' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-259" + Task = "Set registry value 'EnablePlainTextPassword' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-260" + Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#SecurityOptions.ps1 new file mode 100644 index 0000000..60a1b0e --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#SecurityOptions.ps1 @@ -0,0 +1,52 @@ +[AuditTest] @{ + Id = "SecurityOption-261" + Task = "Ensure 'LSAAnonymousNameLookup' is set to '0'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SecurityOption-262" + Task = "Ensure 'EnableGuestAccount' is set to '0'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#UserRights.ps1 new file mode 100644 index 0000000..9b251b5 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2019-Microsoft-FINAL#UserRights.ps1 @@ -0,0 +1,897 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "UserRight-001" + Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-002" + Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-003" + Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-004" + Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-005" + Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-006" + Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-007" + Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-008" + Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-009" + Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-010" + Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-011" + Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-012" + Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-013" + Task = "Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-014" + Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-015" + Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-016" + Task = "Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-11'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-11" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-017" + Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-114" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-018" + Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-6" + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-019" + Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-020" + Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-021" + Task = "Ensure 'SeTcbPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-022" + Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-023" + Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "MemberServer" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..f91cbf1 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AccountPolicies.ps1 @@ -0,0 +1,283 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 365 -or $setPolicy -le 0)) { + if($setPolicy -eq -1){ #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 1)) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "(L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["AllowAdministratorLockout"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'AllowAdministratorLockout' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..da2f9f0 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#AuditPolicies.ps1 @@ -0,0 +1,2036 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..137a206 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#RegistrySettings.ps1 @@ -0,0 +1,13246 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "NoConnectedUser" ` + | Select-Object -ExpandProperty "NoConnectedUser" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "vulnerablechannelallowlist" ` + | Select-Object -ExpandProperty "vulnerablechannelallowlist" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.4" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.5" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC NETLOGON SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +$CARoleStatus = (Get-WindowsFeature -Name ADCS-Cert-Authority).Installed +$WINSStatus = (Get-WindowsFeature -Name WINS).Installed +[AuditTest] @{ + Id = "2.3.10.9 A" + Task = "(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' [WINS Role Feature and CA Role Service NOT installed]" + Test = { + try { + if (($CARoleStatus -or $WINSStatus) -eq $true){ + return @{ + Message = "WINS Role Feature or CA Role Service are installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 B" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [CA Role Service installed]" + Test = { + try { + if ($CARoleStatus -eq $false){ + return @{ + Message = "CA Role Service NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 C" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature installed]" + Test = { + try { + if ($WINSStatus -eq $false){ + return @{ + Message = "WINS Role Feature NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "AuditNTLMInDomain" ` + | Select-Object -ExpandProperty "AuditNTLMInDomain" + + if ($regValue -ne 7) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.13" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 1 - 'Audit all' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.8" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 2 - 'Enabled: Allow DoH' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "DoHPolicy" ` + | Select-Object -ExpandProperty "DoHPolicy" + + if (($regValue -ne 2) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2 or x == 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' (or 0 - Disable NetBIOS name resolution)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetbios" ` + | Select-Object -ExpandProperty "EnableNetbios" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.3" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "BackupDirectory" ` + | Select-Object -ExpandProperty "BackupDirectory" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.3" + Task = "(L1) Ensure 'Enable password encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "ADPasswordEncryptionEnabled" ` + | Select-Object -ExpandProperty "ADPasswordEncryptionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if ($regValue -lt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if (($regValue -gt 30 -or $regValue -lt 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x >= 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.7" + Task = "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationResetDelay" ` + | Select-Object -ExpandProperty "PostAuthenticationResetDelay" + + if (($regValue -gt 8 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 8 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.8" + Task = "(L1) Ensure 'Post-authentication actions: Actions' is set to 3 - 'Enabled: Reset the password and logoff the managed account' or 5 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationActions" ` + | Select-Object -ExpandProperty "PostAuthenticationActions" + + if (($regValue -ne 3) -and ($regValue -ne 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3 or 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2" + Task = "(NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.1" + Task = "(L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 1 - 'Enabled: Audit' or 2 - higher (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM" ` + -Name "SamNGCKeyROCAValidation" ` + | Select-Object -ExpandProperty "SamNGCKeyROCAValidation" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.3.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.5.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.7.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.10.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.12.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.12.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0 or x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.1" + Task = "(L1) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.17.4" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.25.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.2" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.3" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.28.4" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.36.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.40.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 G" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe)'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.1.2 M" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "EnableFileHashComputation" ` + | Select-Object -ExpandProperty "EnableFileHashComputation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.1" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.2" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.3" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.10.4" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.1" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.2" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.13.3" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.17" + Task = "(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "DisableAntiSpyware" ` + | Select-Object -ExpandProperty "DisableAntiSpyware" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.50.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.55.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.3" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.4" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.62.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.75.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.79.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.86.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.88.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.91.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.42.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..59b8d27 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#SecurityOptions.ps1 @@ -0,0 +1,133 @@ +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.5" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#UserRights.ps1 new file mode 100644 index 0000000..19b8054 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-CIS-3.0.0#UserRights.ps1 @@ -0,0 +1,1985 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if($hyperVStatus -ne "Enabled"){ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators [Hyper-V-Feature NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-114" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +$adfsModule = Get-Module -Name ADFS +if($null -eq $adfsModule){ +[AuditTest] @{ + Id = "2.2.31 A" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.31 B" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016" + "S-1-5-80-2246541699-21809830-3603976364-117610243-975697593" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if((Get-WindowsFeature -Name web-server).installed -ne $true){ +[AuditTest] @{ + Id = "2.2.33 A" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +} +else{ +[AuditTest] @{ + Id = "2.2.33 B" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-32-568" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.43" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.49" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AccountPolicies.ps1 new file mode 100644 index 0000000..e75e12b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AccountPolicies.ps1 @@ -0,0 +1,252 @@ +[AuditTest] @{ + Id = "V-254285" + Task = "Windows Server 2022 account lockout duration must be configured to 15 or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15) -and ($setPolicy -ne 0 )) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 or x == 0 " + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254286" + Task = "Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 3 -or $setPolicy -eq 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x >= 3 and x != 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254287" + Task = "Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 or greater." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 15 )) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x >= 15 " + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254288" + Task = "Windows Server 2022 password history must be configured to 24 passwords remembered." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254289" + Task = "Windows Server 2022 maximum password age must be configured to 60 or less." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 60 -or $setPolicy -eq 0 )) { + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 60 and x != 0 " + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254290" + Task = "Windows Server 2022 minimum password age must be configured to at least one day." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -eq 0 )) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x != 0 " + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254291" + Task = "Windows Server 2020 minimum password length must be configured to 14 characters." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254292" + Task = "Windows Server 2022 must have the built-in Windows password complexity policy enabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254293" + Task = "Windows Server 2022 reversible password encryption must be disabled." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AuditPolicies.ps1 new file mode 100644 index 0000000..03362a9 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#AuditPolicies.ps1 @@ -0,0 +1,1502 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "V-254300 + V-254301" + Task = "Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes. Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254302" + Task = "Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254303" + Task = "Windows Server 2022 must be configured to audit Account Management - Security Group Management successes." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254304 + V-254305" + Task = "Windows Server 2022 must be configured to audit Account Management - User Account Management successes. Windows Server 2022 must be configured to audit Account Management - User Account Management failures." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254306" + Task = "Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254307" + Task = "Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254308 + V-254309" + Task = "Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes. Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254310" + Task = "Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254311" + Task = "Windows Server 2022 must be configured to audit logoff successes." + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254312 + V-254313" + Task = "Windows Server 2022 must be configured to audit logon successes. Windows Server 2022 must be configured to audit logon failures." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254314" + Task = "Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254315 + V-254316" + Task = "Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes. Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254317 + V-254318" + Task = "Windows Server 2022 must be configured to audit Object Access - Removable Storage successes. Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254319 + V-254320" + Task = "Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes. Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." + Test = { + # Get the audit policy for the subcategory Audit Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254321" + Task = "Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254322" + Task = "Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254323 + V-254324" + Task = "Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes. Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254325 + V-254326" + Task = "Windows Server 2022 must be configured to audit System - IPsec Driver successes. Windows Server 2022 must be configured to audit System - IPsec Driver failures." + Test = { + # Get the audit policy for the subcategory IPsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "IPsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'IPsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254327 + V-254328" + Task = "Windows Server 2022 must be configured to audit System - Other System Events successes. Windows Server 2022 must be configured to audit System - Other System Events failures." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254329" + Task = "Windows Server 2022 must be configured to audit System - Security State Change successes." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254330" + Task = "Windows Server 2022 must be configured to audit System - Security System Extension successes." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254331 + V-254332" + Task = "Windows Server 2022 must be configured to audit System - System Integrity successes. Windows Server 2022 must be configured to audit System - System Integrity failures." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254407" + Task = "Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254408 + V-254409" + Task = "Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes. Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "V-254410 + V-254411" + Task = "Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes. Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#RegistrySettings.ps1 new file mode 100644 index 0000000..acf9f50 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#RegistrySettings.ps1 @@ -0,0 +1,3509 @@ +[AuditTest] @{ + Id = "V-254276" + Task = "Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254277" + Task = "Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254333" + Task = "Windows Server 2022 must prevent the display of slide shows on the lock screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254334" + Task = "Windows Server 2022 must have WDigest Authentication disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254335" + Task = "Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254336" + Task = "Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254337" + Task = "Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254338" + Task = "Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254339" + Task = "Windows Server 2022 insecure logons to an SMB server must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254341" + Task = "Windows Server 2022 command line data must be included in process creation events." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254342" + Task = "Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254344" + Task = "Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if (($regValue -ne 1) -and ($regValue -ne 3) -and ($regValue -ne 8)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1 or x == 3 or x == 8" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254345" + Task = "Windows Server 2022 group policy objects must be reprocessed even if they have not changed." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254346" + Task = "Windows Server 2022 downloading print driver packages over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254347" + Task = "Windows Server 2022 printing over HTTP must be turned off." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254348" + Task = "Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254349" + Task = "Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254350" + Task = "Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254351" + Task = "Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + Test = { + try { + $status = get-service -name pcasvc -ErrorAction Stop + if($status.Status -ne "Stopped"){ + return @{ + Message = "Compliant - AppCompat Service is disabled (no inventory data will be collected)." + Status = "True" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" ` + -Name "DisableInventory" ` + | Select-Object -ExpandProperty "DisableInventory" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254352" + Task = "Windows Server 2022 Autoplay must be turned off for nonvolume devices." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254353" + Task = "Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254354" + Task = "Windows Server 2022 AutoPlay must be disabled for all drives." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254355" + Task = "Windows Server 2022 administrator accounts must not be enumerated during elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254358" + Task = "Windows Server 2022 Application event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254359" + Task = "Windows Server 2022 Security event log size must be configured to 196608 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254360" + Task = "Windows Server 2022 System event log size must be configured to 32768 KB or greater." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254361" + Task = "Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254362" + Task = "Windows Server 2022 Explorer Data Execution Prevention must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254363" + Task = "Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254364" + Task = "Windows Server 2022 File Explorer shell protocol must run in protected mode." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254365" + Task = "Windows Server 2022 must not save passwords in the Remote Desktop Client." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254366" + Task = "Windows Server 2022 Remote Desktop Services must prevent drive redirection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254367" + Task = "Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254368" + Task = "Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254369" + Task = "Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254370" + Task = "Windows Server 2022 must prevent attachments from being downloaded from RSS feeds." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254371" + Task = "Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254372" + Task = "Windows Server 2022 must prevent Indexing of encrypted files." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254373" + Task = "Windows Server 2022 must prevent users from changing installation options." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254374" + Task = "Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254375" + Task = "Windows Server 2022 users must be notified if a web-based program attempts to install software." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254376" + Task = "Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254377" + Task = "Windows Server 2022 PowerShell script block logging must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254378" + Task = "Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254379" + Task = "Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254380" + Task = "Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254381" + Task = "Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254382" + Task = "Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254383" + Task = "Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254384" + Task = "Windows Server 2022 must have PowerShell Transcription enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254416" + Task = "Windows Server 2022 domain controllers must require LDAP access signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254417" + Task = "Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254429" + Task = "Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254430" + Task = "Windows Server 2022 local users on domain-joined member servers must not be enumerated." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254431" + Task = "Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254433" + Task = "Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254446" + Task = "Windows Server 2022 must prevent local accounts with blank passwords from being used from the network." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254449" + Task = "Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254450" + Task = "Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254451" + Task = "Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254452" + Task = "Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254453" + Task = "Windows Server 2022 computer account password must not be prevented from being reset." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254454" + Task = "Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -gt 30 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254455" + Task = "Windows Server 2022 must be configured to require a strong session key." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254456" + Task = "Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254457" + Task = "Windows Server 2022 required legal notice must be configured to display before console logon." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + if ($regValue -ne "See message text below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message text below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254458" + Task = "Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + if ($regValue -ne "See message title options below") { + return @{ + Message = "Registry value is '$regValue'. Expected: See message title options below" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254460" + Task = "Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-254461" + Task = "Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-254462" + Task = "Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254463" + Task = "Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-254464" + Task = "Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True){ + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "V-254466" + Task = "Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254467" + Task = "Windows Server 2022 must not allow anonymous enumeration of shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254468" + Task = "Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254469" + Task = "Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254470" + Task = "Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254471" + Task = "Windows Server 2022 must prevent NTLM from falling back to a Null session." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254472" + Task = "Windows Server 2022 must prevent PKU2U authentication using online identities." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254473" + Task = "Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254474" + Task = "Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254475" + Task = "Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254476" + Task = "Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254477" + Task = "Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254478" + Task = "Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254479" + Task = "Windows Server 2022 users must be required to enter a password to access private keys stored on the computer." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" ` + -Name "ForceKeyProtection" ` + | Select-Object -ExpandProperty "ForceKeyProtection" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254480" + Task = "Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254481" + Task = "Windows Server 2022 default permissions of global system objects must be strengthened." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254482" + Task = "Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254483" + Task = "Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableUIADesktopToggle" ` + | Select-Object -ExpandProperty "EnableUIADesktopToggle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254485" + Task = "Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254486" + Task = "Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254487" + Task = "Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254488" + Task = "Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254489" + Task = "Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254490" + Task = "Windows Server 2022 must preserve zone information when saving attachments." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#SecurityOptions.ps1 new file mode 100644 index 0000000..28caf72 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-DISA-V1R1#SecurityOptions.ps1 @@ -0,0 +1,104 @@ +[AuditTest] @{ + Id = "V-254445" + Task = "Windows Server 2022 must have the built-in guest account disabled." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254447" + Task = "Windows Server 2022 built-in administrator account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?!.*\bAdministrator\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254448" + Task = "Windows Server 2022 built-in guest account must be renamed." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "V-254465" + Task = "Windows Server 2022 must not allow anonymous SID/Name translation." + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AccountPolicies.ps1 new file mode 100644 index 0000000..e0b4a36 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AccountPolicies.ps1 @@ -0,0 +1,196 @@ +[AuditTest] @{ + Id = "AccountPolicy-309" + Task = "Ensure 'MinimumPasswordLength' is set to '14'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x == 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-310" + Task = "Ensure 'PasswordComplexity' is set to '1'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-311" + Task = "Ensure 'PasswordHistorySize' is set to '24'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 24)) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: x == 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-312" + Task = "Ensure 'LockoutBadCount' is set to '10'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 10)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x == 10" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-313" + Task = "Ensure 'ResetLockoutCount' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 15)) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x == 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-314" + Task = "Ensure 'LockoutDuration' is set to '15'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -ne 15)) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x == 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "AccountPolicy-315" + Task = "Ensure 'ClearTextPassword' is set to '0'." + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AuditPolicies.ps1 new file mode 100644 index 0000000..85187c7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#AuditPolicies.ps1 @@ -0,0 +1,1730 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "AuditPolicy-250" + Task = "Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-251" + Task = "Ensure 'Security Group Management' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-252" + Task = "Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-253" + Task = "Ensure 'Plug and Play Events' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-254" + Task = "Ensure 'Process Creation' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-255" + Task = "Ensure 'Account Lockout' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-256" + Task = "Ensure 'Group Membership' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-257" + Task = "Ensure 'Logon' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-258" + Task = "Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-259" + Task = "Ensure 'Special Logon' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-260" + Task = "Ensure 'Detailed File Share' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-261" + Task = "Ensure 'File Share' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-262" + Task = "Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-263" + Task = "Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-264" + Task = "Ensure 'Audit Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-265" + Task = "Ensure 'Authentication Policy Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-266" + Task = "Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory MPSSVC Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "MPSSVC Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'MPSSVC Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-267" + Task = "Ensure 'Other Policy Change Events' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-268" + Task = "Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-269" + Task = "Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-270" + Task = "Ensure 'Security State Change' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-271" + Task = "Ensure 'Security System Extension' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-272" + Task = "Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-449" + Task = "Ensure 'Kerberos Authentication Service' is set to 'Success' and is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-450" + Task = "Ensure 'Kerberos Service Ticket Operations' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-451" + Task = "Ensure 'Computer Account Management' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-452" + Task = "Ensure 'Other Account Management Events' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-457" + Task = "Ensure 'Directory Service Access' is set to 'Failure'." + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "AuditPolicy-458" + Task = "Ensure 'Directory Service Changes' is set to 'Success'." + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#RegistrySettings.ps1 new file mode 100644 index 0000000..b73308f --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#RegistrySettings.ps1 @@ -0,0 +1,9699 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +[AuditTest] @{ + Id = "Registry-001" + Task = "Ensure 'Remove `"Run this time`" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "RunThisTimeEnabled" ` + | Select-Object -ExpandProperty "RunThisTimeEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-002" + Task = "Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" ` + -Name "VersionCheckEnabled" ` + | Select-Object -ExpandProperty "VersionCheckEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-003" + Task = "Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "RunInvalidSignatures" ` + | Select-Object -ExpandProperty "RunInvalidSignatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-004" + Task = "Set registry value 'CheckExeSignatures' to yes." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Download" ` + -Name "CheckExeSignatures" ` + | Select-Object -ExpandProperty "CheckExeSignatures" + + if ($regValue -ne "yes") { + return @{ + Message = "Registry value is '$regValue'. Expected: yes" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-005" + Task = "Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation64Bit" ` + | Select-Object -ExpandProperty "Isolation64Bit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-006" + Task = "Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "DisableEPMCompat" ` + | Select-Object -ExpandProperty "DisableEPMCompat" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-007" + Task = "Set registry value 'Isolation' to PMEM." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "Isolation" ` + | Select-Object -ExpandProperty "Isolation" + + if ($regValue -ne "PMEM") { + return @{ + Message = "Registry value is '$regValue'. Expected: PMEM" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-008" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-009" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-010" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-011" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-012" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-013" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-014" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-015" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-016" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-017" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-018" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-019" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-020" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-021" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-022" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-023" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-024" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-025" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-026" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-027" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-028" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-029" + Task = "Set registry value '(Reserved)' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "(Reserved)" ` + | Select-Object -ExpandProperty "(Reserved)" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-030" + Task = "Set registry value 'explorer.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "explorer.exe" ` + | Select-Object -ExpandProperty "explorer.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-031" + Task = "Set registry value 'iexplore.exe' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION" ` + -Name "iexplore.exe" ` + | Select-Object -ExpandProperty "iexplore.exe" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-032" + Task = "Set registry value 'PreventOverrideAppRepUnknown' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverrideAppRepUnknown" ` + | Select-Object -ExpandProperty "PreventOverrideAppRepUnknown" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-033" + Task = "Set registry value 'PreventOverride' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "PreventOverride" ` + | Select-Object -ExpandProperty "PreventOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-034" + Task = "Ensure 'Prevent managing SmartScreen Filter' is set to 'On'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ` + -Name "EnabledV9" ` + | Select-Object -ExpandProperty "EnabledV9" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-035" + Task = "Set registry value 'NoCrashDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions" ` + -Name "NoCrashDetection" ` + | Select-Object -ExpandProperty "NoCrashDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-036" + Task = "Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security" ` + -Name "DisableSecuritySettingsCheck" ` + | Select-Object -ExpandProperty "DisableSecuritySettingsCheck" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-037" + Task = "Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX" ` + -Name "BlockNonAdminActiveXInstall" ` + | Select-Object -ExpandProperty "BlockNonAdminActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-038" + Task = "Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AxInstaller" ` + -Name "OnlyUseAXISForActiveXInstall" ` + | Select-Object -ExpandProperty "OnlyUseAXISForActiveXInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-039" + Task = "Set registry value 'Security_zones_map_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_zones_map_edit" ` + | Select-Object -ExpandProperty "Security_zones_map_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-040" + Task = "Set registry value 'Security_options_edit' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_options_edit" ` + | Select-Object -ExpandProperty "Security_options_edit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-041" + Task = "Set registry value 'Security_HKLM_only' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "Security_HKLM_only" ` + | Select-Object -ExpandProperty "Security_HKLM_only" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-042" + Task = "Ensure 'Check for server certificate revocation' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "CertificateRevocation" ` + | Select-Object -ExpandProperty "CertificateRevocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-043" + Task = "Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "PreventIgnoreCertErrors" ` + | Select-Object -ExpandProperty "PreventIgnoreCertErrors" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-044" + Task = "Set registry value 'WarnOnBadCertRecving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "WarnOnBadCertRecving" ` + | Select-Object -ExpandProperty "WarnOnBadCertRecving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-045" + Task = "Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "EnableSSL3Fallback" ` + | Select-Object -ExpandProperty "EnableSSL3Fallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-046" + Task = "Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ` + -Name "SecureProtocols" ` + | Select-Object -ExpandProperty "SecureProtocols" + + if ($regValue -ne 2560) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2560" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-047" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-048" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-049" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-050" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-051" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Lockdown_Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-052" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-053" + Task = "Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" ` + -Name "UNCAsIntranet" ` + | Select-Object -ExpandProperty "UNCAsIntranet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-054" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-055" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-056" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-057" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-058" + Task = "Ensure 'Java permissions' is set to 'High safety'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-059" + Task = "Ensure 'Java permissions' is set to 'High safety'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-060" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-061" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-062" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-063" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-064" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-065" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-066" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-067" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-068" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-069" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-070" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-071" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-072" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-073" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-074" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-075" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-076" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-077" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-078" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-079" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-080" + Task = "Ensure 'Logon options' is set to 'Prompt for user name and password'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 65536) { + return @{ + Message = "Registry value is '$regValue'. Expected: 65536" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-081" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-082" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-083" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-084" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-085" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-086" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-087" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-088" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-089" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-090" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\3]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-091" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-092" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-093" + Task = "Set registry value '140C' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-094" + Task = "Ensure 'Allow META REFRESH' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1608" ` + | Select-Object -ExpandProperty "1608" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-095" + Task = "Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1201" ` + | Select-Object -ExpandProperty "1201" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-096" + Task = "Ensure 'Download signed ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1001" ` + | Select-Object -ExpandProperty "1001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-097" + Task = "Ensure 'Navigate windows and frames across different domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1607" ` + | Select-Object -ExpandProperty "1607" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-098" + Task = "Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120b" ` + | Select-Object -ExpandProperty "120b" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-099" + Task = "Ensure 'Use Pop-up Blocker' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1809" ` + | Select-Object -ExpandProperty "1809" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-100" + Task = "Ensure 'Download unsigned ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1004" ` + | Select-Object -ExpandProperty "1004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-101" + Task = "Ensure 'Userdata persistence' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1606" ` + | Select-Object -ExpandProperty "1606" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-102" + Task = "Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1407" ` + | Select-Object -ExpandProperty "1407" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-103" + Task = "Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "160A" ` + | Select-Object -ExpandProperty "160A" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-104" + Task = "Ensure 'Access data sources across domains' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1406" ` + | Select-Object -ExpandProperty "1406" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-105" + Task = "Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2102" ` + | Select-Object -ExpandProperty "2102" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-106" + Task = "Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2004" ` + | Select-Object -ExpandProperty "2004" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-107" + Task = "Ensure 'Automatic prompting for file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2200" ` + | Select-Object -ExpandProperty "2200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-108" + Task = "Ensure 'Allow binary and script behaviors' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2000" ` + | Select-Object -ExpandProperty "2000" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-109" + Task = "Ensure 'Scripting of Java applets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1402" ` + | Select-Object -ExpandProperty "1402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-110" + Task = "Ensure 'Allow file downloads' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1803" ` + | Select-Object -ExpandProperty "1803" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-111" + Task = "Ensure 'Allow loading of XAML files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2402" ` + | Select-Object -ExpandProperty "2402" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-112" + Task = "Ensure 'Allow active scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1400" ` + | Select-Object -ExpandProperty "1400" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-113" + Task = "Ensure 'Logon options' is set to 'Anonymous logon'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1A00" ` + | Select-Object -ExpandProperty "1A00" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-114" + Task = "Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2001" ` + | Select-Object -ExpandProperty "2001" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-115" + Task = "Ensure 'Turn on Protected Mode' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2500" ` + | Select-Object -ExpandProperty "2500" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-116" + Task = "Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1409" ` + | Select-Object -ExpandProperty "1409" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-117" + Task = "Ensure 'Java permissions' is set to 'Disable Java'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1C00" ` + | Select-Object -ExpandProperty "1C00" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-118" + Task = "Ensure 'Allow scriptlets' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1209" ` + | Select-Object -ExpandProperty "1209" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-119" + Task = "Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "270C" ` + | Select-Object -ExpandProperty "270C" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-120" + Task = "Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1206" ` + | Select-Object -ExpandProperty "1206" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-121" + Task = "Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2708" ` + | Select-Object -ExpandProperty "2708" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-122" + Task = "Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1802" ` + | Select-Object -ExpandProperty "1802" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-123" + Task = "Ensure 'Allow updates to status bar via script' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2103" ` + | Select-Object -ExpandProperty "2103" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-124" + Task = "Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2709" ` + | Select-Object -ExpandProperty "2709" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-125" + Task = "Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1405" ` + | Select-Object -ExpandProperty "1405" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-126" + Task = "Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2101" ` + | Select-Object -ExpandProperty "2101" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-127" + Task = "Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. [Zones\4]" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "2301" ` + | Select-Object -ExpandProperty "2301" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-128" + Task = "Ensure 'Run ActiveX controls and plugins' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1200" ` + | Select-Object -ExpandProperty "1200" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-129" + Task = "Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1804" ` + | Select-Object -ExpandProperty "1804" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-130" + Task = "Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "1806" ` + | Select-Object -ExpandProperty "1806" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-131" + Task = "Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "120c" ` + | Select-Object -ExpandProperty "120c" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-132" + Task = "Set registry value '140C' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ` + -Name "140C" ` + | Select-Object -ExpandProperty "140C" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-133" + Task = "Ensure 'Turn off Autoplay' is set to 'All drives'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-134" + Task = "Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-135" + Task = "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-136" + Task = "Set registry value 'LocalAccountTokenFilterPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-143" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-153" + Task = "Set registry value 'NoLockScreenCamera' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-157" + Task = "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-169" + Task = "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-186" + Task = "Set registry value 'AdmPwdEnabled' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" ` + -Name "AdmPwdEnabled" ` + | Select-Object -ExpandProperty "AdmPwdEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-197" + Task = "Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA)." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictRemoteSAM" ` + | Select-Object -ExpandProperty "RestrictRemoteSAM" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-198" + Task = "Set registry value 'EnablePlainTextPassword' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-199" + Task = "Set registry value 'NoLMHash' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-200" + Task = "Set registry value 'LimitBlankPasswordUse' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-201" + Task = "Set registry value 'ProtectionMode' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-202" + Task = "Set registry value 'RestrictAnonymous' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-203" + Task = "Set registry value 'RestrictNullSessAccess' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-204" + Task = "Set registry value 'RestrictAnonymousSAM' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-205" + Task = "Set registry value 'requirestrongkey' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requirestrongkey" ` + | Select-Object -ExpandProperty "requirestrongkey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-206" + Task = "Set registry value 'requiresecuritysignature' to 1." + Test = { + try { + if((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-207" + Task = "Set registry value 'RequireSecuritySignature' to 1." + Test = { + try { + if((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True){ + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try{ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "Registry-208" + Task = "Set registry value 'signsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "signsecurechannel" ` + | Select-Object -ExpandProperty "signsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-277" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. (Member Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-279" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-280" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if ($regValue -eq 3) { + return @{ + Message = "Set to 'Secure Boot and DMA Protection' which is more secure." + Status = "True" + } + } + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-281" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-282" + Task = "Set registry value 'HVCIMATRequired' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-283" + Task = "Ensure 'Turn On Virtualization Based Security' is set to 'Disabled'. (Domain Controller)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-284" + Task = "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-285" + Task = "Set registry value 'PUAProtection' to 1." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-286" + Task = "Set registry value 'MpCloudBlockLevel' to 2." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine" ` + -Name "MpCloudBlockLevel" ` + | Select-Object -ExpandProperty "MpCloudBlockLevel" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-287" + Task = "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-288" + Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-289" + Task = "Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if (($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-290" + Task = "Ensure 'Scan removable drives' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-291" + Task = "Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SubmitSamplesConsent" ` + | Select-Object -ExpandProperty "SubmitSamplesConsent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-292" + Task = "Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-293" + Task = "Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "DisableBlockAtFirstSeen" ` + | Select-Object -ExpandProperty "DisableBlockAtFirstSeen" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-294" + Task = "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-295" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-296" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-297" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-298" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-299" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-300" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-301" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-302" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-303" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-304" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-305" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-306" + Task = "Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "c1db55ab-c21a-4637-bb3f-a12568109d35" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-307" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if($asrTest1){ + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if($asrTest2){ + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-308" + Task = "Set registry value 'EnableNetworkProtection' to 1." + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-316" + Task = "Set registry value 'FormSuggest Passwords' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-317" + Task = "Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest PW Ask" ` + | Select-Object -ExpandProperty "FormSuggest PW Ask" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-318" + Task = "Set registry value 'FormSuggest Passwords' to no." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main" ` + -Name "FormSuggest Passwords" ` + | Select-Object -ExpandProperty "FormSuggest Passwords" + + if ($regValue -ne "no") { + return @{ + Message = "Registry value is '$regValue'. Expected: no" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-322" + Task = "Set registry value 'AllowEncryptionOracle' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-323" + Task = "Set registry value 'EnhancedAntiSpoofing' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-324" + Task = "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-325" + Task = "Set registry value 'AllowProtectedCreds' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-326" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '32768'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 32768) { + return @{ + Message = "Registry value is '$regValue'. Expected: 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-327" + Task = "Ensure 'Specify the maximum log file size (KB)' is set to '196608'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if ($regValue -ne 196608) { + return @{ + Message = "Registry value is '$regValue'. Expected: 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-329" + Task = "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-330" + Task = "Ensure 'Configure registry policy processing' is set to '0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-331" + Task = "Ensure 'Configure registry policy processing' is set to '0'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-332" + Task = "Set registry value 'AlwaysInstallElevated' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-333" + Task = "Ensure 'Allow user control over installs' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-334" + Task = "Set registry value 'DeviceEnumerationPolicy' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-335" + Task = "Ensure 'Enable insecure guest logons' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-336" + Task = "Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-337" + Task = "Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if($regValue -eq $null){ + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object{ $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-339" + Task = "Set registry value 'NoLockScreenSlideshow' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-340" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-341" + Task = "Ensure 'Turn on PowerShell Script Block Logging' is not set." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockInvocationLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockInvocationLogging" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-343" + Task = "Set registry value 'EnforcementMode' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Appx" ` + -Name "EnforcementMode" ` + | Select-Object -ExpandProperty "EnforcementMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-358" + Task = "Ensure 'Configure Windows SmartScreen' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-359" + Task = "Set registry value 'ShellSmartScreenLevel' to Block." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-360" + Task = "Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-361" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-362" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-363" + Task = "Ensure 'Disallow Digest authentication' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-364" + Task = "Ensure 'Allow Basic authentication' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-365" + Task = "Ensure 'Allow unencrypted traffic' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-366" + Task = "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-367" + Task = "Ensure 'Turn off multicast name resolution' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-368" + Task = "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if (($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-369" + Task = "Set registry value 'DisablePasswordSaving' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-370" + Task = "Set registry value 'fDisableCdm' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-371" + Task = "Set registry value 'fPromptForPassword' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-372" + Task = "Set registry value 'fEncryptRPCTraffic' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-373" + Task = "Set registry value 'MinEncryptionLevel' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-375" + Task = "Domain: Set registry value 'DefaultOutboundAction' to 0." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-376" + Task = "Domain: Set registry value 'DefaultInboundAction' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-377" + Task = "Domain: Set registry value 'EnableFirewall' to 1." + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"} + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-378" + Task = "Private: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-379" + Task = "Private: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-380" + Task = "Private: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-381" + Task = "Public: Set registry value 'EnableFirewall' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-382" + Task = "Public: Set registry value 'DefaultOutboundAction' to 0." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultOutboundAction" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-383" + Task = "Public: Set registry value 'DefaultInboundAction' to 1." + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "Registry-384" + Task = "Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-385" + Task = "Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-386" + Task = "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-387" + Task = "Set registry value 'DriverLoadPolicy' to 3." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-388" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-389" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-390" + Task = "Set registry value 'NoNameReleaseOnDemand' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NoNameReleaseOnDemand" ` + | Select-Object -ExpandProperty "NoNameReleaseOnDemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-391" + Task = "Set registry value 'NodeType' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-392" + Task = "Set registry value 'EnableICMPRedirect' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-393" + Task = "Set registry value 'DisableIPSourceRouting' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-394" + Task = "Set registry value 'DisableIPSourceRouting' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-395" + Task = "Set registry value 'allownullsessionfallback' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "allownullsessionfallback" ` + | Select-Object -ExpandProperty "allownullsessionfallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-396" + Task = "Set registry value 'InactivityTimeoutSecs' to 900." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if ($regValue -ne 900) { + return @{ + Message = "Registry value is '$regValue'. Expected: 900" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-397" + Task = "Set registry value 'ScRemoveOption' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -ne "1") { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-398" + Task = "Set registry value 'SCENoApplyLegacyAuditPolicy' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-399" + Task = "Set registry value 'EnableVirtualization' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-400" + Task = "Set registry value 'FilterAdministratorToken' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-401" + Task = "Set registry value 'EnableLUA' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-402" + Task = "Set registry value 'EnableInstallerDetection' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-403" + Task = "Set registry value 'ConsentPromptBehaviorAdmin' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-404" + Task = "Set registry value 'ConsentPromptBehaviorUser' to 0." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-405" + Task = "Set registry value 'EnableSecureUIAPaths' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-406" + Task = "Set registry value 'LDAPClientIntegrity' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-407" + Task = "Set registry value 'LmCompatibilityLevel' to 5." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-408" + Task = "Set registry value 'NTLMMinClientSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-409" + Task = "Set registry value 'sealsecurechannel' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "sealsecurechannel" ` + | Select-Object -ExpandProperty "sealsecurechannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-410" + Task = "Set registry value 'NTLMMinServerSec' to 537395200." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-411" + Task = "Set registry value 'requiresignorseal' to 1." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "requiresignorseal" ` + | Select-Object -ExpandProperty "requiresignorseal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-423" + Task = "Set registry value 'LDAPServerIntegrity' to 2." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "Registry-424" + Task = "Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled, always (recommended)'." + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#SecurityOptions.ps1 new file mode 100644 index 0000000..e074f0b --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#SecurityOptions.ps1 @@ -0,0 +1,26 @@ +[AuditTest] @{ + Id = "SecurityOption-226" + Task = "Ensure 'LSAAnonymousNameLookup' is set to '0'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#UserRights.ps1 new file mode 100644 index 0000000..54d4535 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2022-Microsoft-FINAL#UserRights.ps1 @@ -0,0 +1,925 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE"){ + if ($name -eq "Enterprise Admins"){ + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins"){ + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and $hyperVStatus -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "UserRight-227" + Task = "Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-228" + Task = "Ensure 'SeCreateTokenPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-230" + Task = "Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-231" + Task = "Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-232" + Task = "Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-233" + Task = "Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-234" + Task = "Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-20" + "S-1-5-19" + "S-1-5-6" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-235" + Task = "Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-236" + Task = "Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-237" + Task = "Ensure 'SeEnableDelegationPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-238" + Task = "Ensure 'SeCreatePermanentPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-239" + Task = "Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + #No UserRights on System comparing to publisher recommendation + if($null -eq $currentUserRights -and $identityAccounts.Count -gt 0){ + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if($currentUserRights.Count -lt $identityAccounts.Count){ + $users = "" + foreach($currentUser in $currentUserRights){ + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-240" + Task = "Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-241" + Task = "Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-242" + Task = "Ensure 'SeNetworkLogonRight' is set to 'S-1-5-11, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-243" + Task = "Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-114" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-244" + Task = "Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-20" + "S-1-5-19" + "S-1-5-6" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-245" + Task = "Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-246" + Task = "Ensure 'SeLockMemoryPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-247" + Task = "Ensure 'SeTcbPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-248" + Task = "Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-249" + Task = "Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-428" + Task = "Ensure 'SeTrustedCredManAccessPrivilege' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "UserRight-429" + Task = "Ensure 'SeRemoteInteractiveLogonRight' is set to 'S-1-5-32-544'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AccountPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AccountPolicies.ps1 new file mode 100644 index 0000000..57095cb --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AccountPolicies.ps1 @@ -0,0 +1,257 @@ +[AuditTest] @{ + Id = "1.1.1" + Task = "(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordHistorySize"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 24) { + return @{ + Message = "'PasswordHistorySize' currently set to: $setPolicy. Expected: 24" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MaximumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -gt 365 -or $setPolicy -le 0){ + if ($setPolicy -eq -1) { + #Setting 0 in GroupPolicy translates to -1 in AuditPolicy + $setPolicy = "Password never expires" + } + return @{ + Message = "'MaximumPasswordAge' currently set to: $setPolicy. Expected: x <= 365 days and x > 0 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordAge"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 1 ) { + return @{ + Message = "'MinimumPasswordAge' currently set to: $setPolicy. Expected: x >= 1 days" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["MinimumPasswordLength"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -lt 14)) { + return @{ + Message = "'MinimumPasswordLength' currently set to: $setPolicy. Expected: x >= 14" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["PasswordComplexity"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 1) { + return @{ + Message = "'PasswordComplexity' currently set to: $setPolicy. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutDuration"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -lt 15 -or $setPolicy -gt 99999 ) { + return @{ + Message = "'LockoutDuration' currently set to: $setPolicy. Expected: x >= 15 minutes and x <= 99999 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["LockoutBadCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 5 -or $setPolicy -le 0)) { + return @{ + Message = "'LockoutBadCount' currently set to: $setPolicy. Expected: x <= 5 and x > 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ResetLockoutCount"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if (($setPolicy -gt 99999 -or $setPolicy -lt 15 )) { + return @{ + Message = "'ResetLockoutCount' currently set to: $setPolicy. Expected: x <= 99999 minutes and x >= 15 minutes" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} + diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AuditPolicies.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AuditPolicies.ps1 new file mode 100644 index 0000000..3ae6c46 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#AuditPolicies.ps1 @@ -0,0 +1,2036 @@ +# Common +function Get-AuditPolicySubcategoryGUID { + Param( + [Parameter(Mandatory = $true)] + [AllowEmptyString()] + [string] $Subcategory + ) + + $map = @{ + "Security State Change" = "{0CCE9210-69AE-11D9-BED3-505054503030}" + "Security System Extension" = "{0CCE9211-69AE-11D9-BED3-505054503030}" + "System Integrity" = "{0CCE9212-69AE-11D9-BED3-505054503030}" + "IPsec Driver" = "{0CCE9213-69AE-11D9-BED3-505054503030}" + "Other System Events" = "{0CCE9214-69AE-11D9-BED3-505054503030}" + "Logon" = "{0CCE9215-69AE-11D9-BED3-505054503030}" + "Logoff" = "{0CCE9216-69AE-11D9-BED3-505054503030}" + "Account Lockout" = "{0CCE9217-69AE-11D9-BED3-505054503030}" + "IPsec Main Mode" = "{0CCE9218-69AE-11D9-BED3-505054503030}" + "IPsec Quick Mode" = "{0CCE9219-69AE-11D9-BED3-505054503030}" + "IPsec Extended Mode" = "{0CCE921A-69AE-11D9-BED3-505054503030}" + "Special Logon" = "{0CCE921B-69AE-11D9-BED3-505054503030}" + "Other Logon/Logoff Events" = "{0CCE921C-69AE-11D9-BED3-505054503030}" + "Network Policy Server" = "{0CCE9243-69AE-11D9-BED3-505054503030}" + "User / Device Claims" = "{0CCE9247-69AE-11D9-BED3-505054503030}" + "Group Membership" = "{0CCE9249-69AE-11D9-BED3-505054503030}" + "File System" = "{0CCE921D-69AE-11D9-BED3-505054503030}" + "Registry" = "{0CCE921E-69AE-11D9-BED3-505054503030}" + "Kernel Object" = "{0CCE921F-69AE-11D9-BED3-505054503030}" + "SAM" = "{0CCE9220-69AE-11D9-BED3-505054503030}" + "Certification Services" = "{0CCE9221-69AE-11D9-BED3-505054503030}" + "Application Generated" = "{0CCE9222-69AE-11D9-BED3-505054503030}" + "Handle Manipulation" = "{0CCE9223-69AE-11D9-BED3-505054503030}" + "File Share" = "{0CCE9224-69AE-11D9-BED3-505054503030}" + "Filtering Platform Packet Drop" = "{0CCE9225-69AE-11D9-BED3-505054503030}" + "Filtering Platform Connection" = "{0CCE9226-69AE-11D9-BED3-505054503030}" + "Other Object Access Events" = "{0CCE9227-69AE-11D9-BED3-505054503030}" + "Detailed File Share" = "{0CCE9244-69AE-11D9-BED3-505054503030}" + "Removable Storage" = "{0CCE9245-69AE-11D9-BED3-505054503030}" + "Central Policy Staging" = "{0CCE9246-69AE-11D9-BED3-505054503030}" + "Sensitive Privilege Use" = "{0CCE9228-69AE-11D9-BED3-505054503030}" + "Non Sensitive Privilege Use" = "{0CCE9229-69AE-11D9-BED3-505054503030}" + "Other Privilege Use Events" = "{0CCE922A-69AE-11D9-BED3-505054503030}" + "Process Creation" = "{0CCE922B-69AE-11D9-BED3-505054503030}" + "Process Termination" = "{0CCE922C-69AE-11D9-BED3-505054503030}" + "DPAPI Activity" = "{0CCE922D-69AE-11D9-BED3-505054503030}" + "RPC Events" = "{0CCE922E-69AE-11D9-BED3-505054503030}" + "Plug and Play Events" = "{0CCE9248-69AE-11D9-BED3-505054503030}" + "Token Right Adjusted Events" = "{0CCE924A-69AE-11D9-BED3-505054503030}" + "Audit Policy Change" = "{0CCE922F-69AE-11D9-BED3-505054503030}" + "Authentication Policy Change" = "{0CCE9230-69AE-11D9-BED3-505054503030}" + "Authorization Policy Change" = "{0CCE9231-69AE-11D9-BED3-505054503030}" + "MPSSVC Rule-Level Policy Change" = "{0CCE9232-69AE-11D9-BED3-505054503030}" + "Filtering Platform Policy Change" = "{0CCE9233-69AE-11D9-BED3-505054503030}" + "Other Policy Change Events" = "{0CCE9234-69AE-11D9-BED3-505054503030}" + "User Account Management" = "{0CCE9235-69AE-11D9-BED3-505054503030}" + "Computer Account Management" = "{0CCE9236-69AE-11D9-BED3-505054503030}" + "Security Group Management" = "{0CCE9237-69AE-11D9-BED3-505054503030}" + "Distribution Group Management" = "{0CCE9238-69AE-11D9-BED3-505054503030}" + "Application Group Management" = "{0CCE9239-69AE-11D9-BED3-505054503030}" + "Other Account Management Events" = "{0CCE923A-69AE-11D9-BED3-505054503030}" + "Directory Service Access" = "{0CCE923B-69AE-11D9-BED3-505054503030}" + "Directory Service Changes" = "{0CCE923C-69AE-11D9-BED3-505054503030}" + "Directory Service Replication" = "{0CCE923D-69AE-11D9-BED3-505054503030}" + "Detailed Directory Service Replication" = "{0CCE923E-69AE-11D9-BED3-505054503030}" + "Credential Validation" = "{0CCE923F-69AE-11D9-BED3-505054503030}" + "Kerberos Service Ticket Operations" = "{0CCE9240-69AE-11D9-BED3-505054503030}" + "Other Account Logon Events" = "{0CCE9241-69AE-11D9-BED3-505054503030}" + "Kerberos Authentication Service" = "{0CCE9242-69AE-11D9-BED3-505054503030}" + } + + if ($map.ContainsKey($Subcategory)) { + return $map[$Subcategory] + } + return "" +} + +# Tests +[AuditTest] @{ + Id = "17.1.1" + Task = "(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Credential Validation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Credential Validation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Credential Validation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.2" + Task = "(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Authentication Service + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Authentication Service" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Authentication Service'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.1.3" + Task = "(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Kerberos Service Ticket Operations + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Kerberos Service Ticket Operations" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Kerberos Service Ticket Operations'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.1" + Task = "(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Application Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Application Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Application Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.2" + Task = "(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Computer Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Computer Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Computer Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.3" + Task = "(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Distribution Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Distribution Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Distribution Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.4" + Task = "(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Other Account Management Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Account Management Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Account Management Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.5" + Task = "(L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security Group Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security Group Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security Group Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.2.6" + Task = "(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory User Account Management + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "User Account Management" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'User Account Management'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.1" + Task = "(L1) Ensure 'Audit PNP Activity' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Plug and Play Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Plug and Play Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Plug and Play Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.3.2" + Task = "(L1) Ensure 'Audit Process Creation' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Process Creation + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Process Creation" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Process Creation'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.1" + Task = "(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Access + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Access" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Access'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.4.2" + Task = "(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + # Get the audit policy for the subcategory Directory Service Changes + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Directory Service Changes" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Directory Service Changes'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.1" + Task = "(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Account Lockout + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Account Lockout" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Account Lockout'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.2" + Task = "(L1) Ensure 'Audit Group Membership' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Group Membership + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Group Membership" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Group Membership'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.3" + Task = "(L1) Ensure 'Audit Logoff' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Logoff + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logoff" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logoff'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.4" + Task = "(L1) Ensure 'Audit Logon' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.5" + Task = "(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Logon/Logoff Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Logon/Logoff Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Logon/Logoff Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.5.6" + Task = "(L1) Ensure 'Audit Special Logon' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Special Logon + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Special Logon" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Special Logon'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.1" + Task = "(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Detailed File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Detailed File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Detailed File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.2" + Task = "(L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory File Share + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "File Share" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'File Share'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.3" + Task = "(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other Object Access Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Object Access Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Object Access Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.6.4" + Task = "(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Removable Storage + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Removable Storage" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Removable Storage'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.1" + Task = "(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Audit Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Audit Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Audit Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.2" + Task = "(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authentication Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authentication Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authentication Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.3" + Task = "(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Authorization Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Authorization Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Authorization Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.4" + Task = "(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Mpssvc Rule-Level Policy Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Mpssvc Rule-Level Policy Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Mpssvc Rule-Level Policy Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.7.5" + Task = "(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + Test = { + # Get the audit policy for the subcategory Other Policy Change Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other Policy Change Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other Policy Change Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Failure" -and $setting -ne "Success and Failure" -And $setting -ne "Fehler" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.8.1" + Task = "(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Sensitive Privilege Use + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Sensitive Privilege Use" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Sensitive Privilege Use'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.1" + Task = "(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Ipsec Driver + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Ipsec Driver" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Ipsec Driver'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.2" + Task = "(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory Other System Events + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Other System Events" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Other System Events'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.3" + Task = "(L1) Ensure 'Audit Security State Change' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security State Change + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security State Change" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security State Change'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.4" + Task = "(L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + Test = { + # Get the audit policy for the subcategory Security System Extension + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "Security System Extension" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'Security System Extension'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success" -and $setting -ne "Success and Failure" -And $setting -ne "Erfolg" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "17.9.5" + Task = "(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" + Test = { + # Get the audit policy for the subcategory System Integrity + $subCategoryGUID = Get-AuditPolicySubcategoryGUID -Subcategory "System Integrity" + + if ([string]::IsNullOrEmpty($subCategoryGUID)) { + return @{ + Message = "Cannot get Subcategory 'System Integrity'" + Status = "None" + } + } + + $auditPolicyString = auditpol /get /subcategory:"$subCategoryGUID" + + # auditpol does not throw exceptions, so test the results and throw if needed + if ($LASTEXITCODE -ne 0) { + $errorString = "'auditpol /get /subcategory:'$subCategoryGUID' returned with exit code $LASTEXITCODE" + throw [System.ArgumentException] $errorString + Write-Error -Message $errorString + } + + if ($null -eq $auditPolicyString) { + return @{ + Status = "Warning" + Message = "Couldn't get setting. Auditpol returned nothing." + } + } + + # Remove empty lines and headers + $line = $auditPolicyString ` + | Where-Object { $_ } ` + | Select-Object -Skip 3 + + if ($line -notmatch "(No Auditing|Success and Failure|Success|Failure|Keine Überwachung|Erfolg und Fehler|Erfolg|Fehler)$") { + return @{ + Status = "Warning" + Message = "Couldn't get setting." + } + } + + $setting = $Matches[0] + + if ($setting -ne "Success and Failure" -And $setting -ne "Erfolg und Fehler") { + return @{ + Status = "False" + Message = "Set to: $setting" + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#RegistrySettings.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#RegistrySettings.ps1 new file mode 100644 index 0000000..daa3744 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#RegistrySettings.ps1 @@ -0,0 +1,14316 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +# 2025 +[AuditTest] @{ + Id = "1.1.6" + Task = "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SAM" ` + -Name "RelaxMinimumPasswordLengthLimits" ` + | Select-Object -ExpandProperty "RelaxMinimumPasswordLengthLimits" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.2" + Task = "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LimitBlankPasswordUse" ` + | Select-Object -ExpandProperty "LimitBlankPasswordUse" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SCENoApplyLegacyAuditPolicy" ` + | Select-Object -ExpandProperty "SCENoApplyLegacyAuditPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "CrashOnAuditFail" ` + | Select-Object -ExpandProperty "CrashOnAuditFail" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4.1" + Task = "(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" ` + -Name "AddPrinterDrivers" ` + | Select-Object -ExpandProperty "AddPrinterDrivers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.1" + Task = "(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "SubmitControl" ` + | Select-Object -ExpandProperty "SubmitControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.2" + Task = "(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "vulnerablechannelallowlist" ` + | Select-Object -ExpandProperty "vulnerablechannelallowlist" + + return @{ + Message = "Registry value found." + Status = "False" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.3" + Task = "(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LdapEnforceChannelBinding" ` + | Select-Object -ExpandProperty "LdapEnforceChannelBinding" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.4" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.5" + Task = "(L1) Ensure 'Domain controller: LDAP server signing requirements Enforcement' is set to 'Enabled' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerEnforceIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerEnforceIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.5.6" + Task = "(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RefusePasswordChange" ` + | Select-Object -ExpandProperty "RefusePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.1" + Task = "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireSignOrSeal" ` + | Select-Object -ExpandProperty "RequireSignOrSeal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.2" + Task = "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SealSecureChannel" ` + | Select-Object -ExpandProperty "SealSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.3" + Task = "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "SignSecureChannel" ` + | Select-Object -ExpandProperty "SignSecureChannel" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.4" + Task = "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "DisablePasswordChange" ` + | Select-Object -ExpandProperty "DisablePasswordChange" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.5" + Task = "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "MaximumPasswordAge" ` + | Select-Object -ExpandProperty "MaximumPasswordAge" + + if (($regValue -le 0 -or $regValue -gt 30)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x > 0 and x <= 30" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.6.6" + Task = "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "RequireStrongKey" ` + | Select-Object -ExpandProperty "RequireStrongKey" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.1" + Task = "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableCAD" ` + | Select-Object -ExpandProperty "DisableCAD" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.2" + Task = "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DontDisplayLastUserName" ` + | Select-Object -ExpandProperty "DontDisplayLastUserName" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.3" + Task = "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "InactivityTimeoutSecs" ` + | Select-Object -ExpandProperty "InactivityTimeoutSecs" + + if (($regValue -gt 900 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.4" + Task = "(L1) Configure 'Interactive logon: Message text for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeText" ` + | Select-Object -ExpandProperty "LegalNoticeText" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.5" + Task = "(L1) Configure 'Interactive logon: Message title for users attempting to log on'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LegalNoticeCaption" ` + | Select-Object -ExpandProperty "LegalNoticeCaption" + + $regValue = $regValue.Trim([char]0x0000) + if (($regValue -notmatch ".+") -or ([string]::IsNullOrEmpty($regValue)) -or ([string]::IsNullOrWhiteSpace($regValue))) { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '.+'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.6" + Task = "(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "CachedLogonsCount" ` + | Select-Object -ExpandProperty "CachedLogonsCount" + + if ($regValue -notmatch "^[43210]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[43210]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.7" + Task = "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "PasswordExpiryWarning" ` + | Select-Object -ExpandProperty "PasswordExpiryWarning" + + if (($regValue -gt 14 -or $regValue -lt 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 14 and x >= 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.8" + Task = "(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ForceUnlockLogon" ` + | Select-Object -ExpandProperty "ForceUnlockLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.7.9" + Task = "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 1 - 'Lock Workstation' or 2 / 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScRemoveOption" ` + | Select-Object -ExpandProperty "ScRemoveOption" + + if ($regValue -notmatch "^(1|2|3)$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^(1|2|3)$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.8.1" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.2" + Task = "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbClientConfiguration).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.8.3" + Task = "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" ` + -Name "EnablePlainTextPassword" ` + | Select-Object -ExpandProperty "EnablePlainTextPassword" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.1" + Task = "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "AutoDisconnect" ` + | Select-Object -ExpandProperty "AutoDisconnect" + + if (($regValue -gt 15)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.2" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).RequireSecuritySignature -ne $True) { + return @{ + Message = "RequireSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RequireSecuritySignature" ` + | Select-Object -ExpandProperty "RequireSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.3" + Task = "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + Test = { + try { + if ((Get-SmbServerConfiguration -ErrorAction Stop).EnableSecuritySignature -ne $True) { + return @{ + Message = "EnableSecuritySignature is not set to True" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } + catch { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "EnableSecuritySignature" ` + | Select-Object -ExpandProperty "EnableSecuritySignature" + + return @{ + Message = "Registry value is '$regValue'. Get-SMBServerConfiguration failed, resorted to checking registry, which might not be 100% accurate. See here and here" + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "2.3.9.4" + Task = "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "enableforcedlogoff" ` + | Select-Object -ExpandProperty "enableforcedlogoff" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.9.5" + Task = "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 1 - 'Accept if provided by client' or 2 - higher (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "SMBServerNameHardeningLevel" ` + | Select-Object -ExpandProperty "SMBServerNameHardeningLevel" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.2" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymousSAM" ` + | Select-Object -ExpandProperty "RestrictAnonymousSAM" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.3" + Task = "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RestrictAnonymous" ` + | Select-Object -ExpandProperty "RestrictAnonymous" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.4" + Task = "(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "DisableDomainCreds" ` + | Select-Object -ExpandProperty "DisableDomainCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.5" + Task = "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "EveryoneIncludesAnonymous" ` + | Select-Object -ExpandProperty "EveryoneIncludesAnonymous" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.6" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is configured (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + $reference = @( + "LSARPC" + "NETLOGON" + "SAMR" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: LSARPC,NETLOGON,SAMR" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.7" + Task = "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is configured (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionPipes" ` + | Select-Object -ExpandProperty "NullSessionPipes" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.8" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\ProductOptions" + "System\CurrentControlSet\Control\Server Applications" + "Software\Microsoft\Windows NT\CurrentVersion" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +$CARoleStatus = (Get-WindowsFeature -Name ADCS-Cert-Authority).Installed +$WINSStatus = (Get-WindowsFeature -Name WINS).Installed +[AuditTest] @{ + Id = "2.3.10.9 A" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature and CA Role Service NOT installed]" + Test = { + try { + if (($CARoleStatus -or $WINSStatus) -eq $true) { + return @{ + Message = "WINS Role Feature or CA Role Service are installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 B" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [CA Role Service installed]" + Test = { + try { + if ($CARoleStatus -eq $false) { + return @{ + Message = "CA Role Service NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\CertSvc" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.9 C" + Task = "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured [WINS Role Feature installed]" + Test = { + try { + if ($WINSStatus -eq $false) { + return @{ + Message = "WINS Role Feature NOT installed" + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths" ` + -Name "Machine" ` + | Select-Object -ExpandProperty "Machine" + + $reference = @( + "System\CurrentControlSet\Control\Print\Printers" + "System\CurrentControlSet\Services\Eventlog" + "Software\Microsoft\OLAP Server" + "Software\Microsoft\Windows NT\CurrentVersion\Print" + "Software\Microsoft\Windows NT\CurrentVersion\Windows" + "System\CurrentControlSet\Control\ContentIndex" + "System\CurrentControlSet\Control\Terminal Server" + "System\CurrentControlSet\Control\Terminal Server\UserConfig" + "System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration" + "Software\Microsoft\Windows NT\CurrentVersion\Perflib" + "System\CurrentControlSet\Services\SysmonLog" + "System\CurrentControlSet\Services\WINS" + ) + if (-not (Test-ArrayEqual $regValue $reference)) { + return @{ + Message = "Registry value is '$regValue'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\WINS" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.10" + Task = "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "RestrictNullSessAccess" ` + | Select-Object -ExpandProperty "RestrictNullSessAccess" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.11" + Task = "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "restrictremotesam" ` + | Select-Object -ExpandProperty "restrictremotesam" + + if ($regValue -ne "O:BAG:BAD:(A;;RC;;;BA)") { + return @{ + Message = "Registry value is '$regValue'. Expected: O:BAG:BAD:(A;;RC;;;BA)" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.12" + Task = "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" ` + -Name "NullSessionShares" ` + | Select-Object -ExpandProperty "NullSessionShares" + + if ($regValue -ne "") { + return @{ + Message = "Registry value is '$regValue'. Expected: " + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.13" + Task = "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "ForceGuest" ` + | Select-Object -ExpandProperty "ForceGuest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.1" + Task = "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "UseMachineId" ` + | Select-Object -ExpandProperty "UseMachineId" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.2" + Task = "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AllowNullSessionFallback" ` + | Select-Object -ExpandProperty "AllowNullSessionFallback" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.3" + Task = "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\pku2u" ` + -Name "AllowOnlineID" ` + | Select-Object -ExpandProperty "AllowOnlineID" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if ($regValue -ne 2147483640) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.7" + Task = "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "LmCompatibilityLevel" ` + | Select-Object -ExpandProperty "LmCompatibilityLevel" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.8" + Task = "(L1) Ensure 'Network security: LDAP client encryption requirements' is set to 1 - 'Negotiate sealing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "ldapclientconfidentiality" ` + | Select-Object -ExpandProperty "ldapclientconfidentiality" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.9" + Task = "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 1 - 'Negotiate signing' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LDAP" ` + -Name "LDAPClientIntegrity" ` + | Select-Object -ExpandProperty "LDAPClientIntegrity" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.10" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinClientSec" ` + | Select-Object -ExpandProperty "NTLMMinClientSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.11" + Task = "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "NTLMMinServerSec" ` + | Select-Object -ExpandProperty "NTLMMinServerSec" + + if ($regValue -ne 537395200) { + return @{ + Message = "Registry value is '$regValue'. Expected: 537395200" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.12" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "AuditReceivingNTLMTraffic" ` + | Select-Object -ExpandProperty "AuditReceivingNTLMTraffic" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.13" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" ` + -Name "AuditNTLMInDomain" ` + | Select-Object -ExpandProperty "AuditNTLMInDomain" + + if ($regValue -ne 7) { + return @{ + Message = "Registry value is '$regValue'. Expected: 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.14" + Task = "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 1 - 'Audit all' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" ` + -Name "RestrictSendingNTLMTraffic" ` + | Select-Object -ExpandProperty "RestrictSendingNTLMTraffic" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.13.1" + Task = "(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ShutdownWithoutLogon" ` + | Select-Object -ExpandProperty "ShutdownWithoutLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.1" + Task = "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" ` + -Name "ObCaseInsensitive" ` + | Select-Object -ExpandProperty "ObCaseInsensitive" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.15.2" + Task = "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "ProtectionMode" ` + | Select-Object -ExpandProperty "ProtectionMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.1" + Task = "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "FilterAdministratorToken" ` + | Select-Object -ExpandProperty "FilterAdministratorToken" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.2" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 2 - 'Prompt for consent on the secure desktop' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorAdmin" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorAdmin" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.3" + Task = "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "ConsentPromptBehaviorUser" ` + | Select-Object -ExpandProperty "ConsentPromptBehaviorUser" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.4" + Task = "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableInstallerDetection" ` + | Select-Object -ExpandProperty "EnableInstallerDetection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.5" + Task = "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableSecureUIAPaths" ` + | Select-Object -ExpandProperty "EnableSecureUIAPaths" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.6" + Task = "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableLUA" ` + | Select-Object -ExpandProperty "EnableLUA" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.7" + Task = "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "PromptOnSecureDesktop" ` + | Select-Object -ExpandProperty "PromptOnSecureDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.17.8" + Task = "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableVirtualization" ` + | Select-Object -ExpandProperty "EnableVirtualization" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.1" + Task = "(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "5.2" + Task = "(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.1" + Task = "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"; + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile"; + $key = "EnableFirewall"; + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.2" + Task = "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.3" + Task = "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.4" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\domainfw.log"; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.5" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.6" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.1" + Task = "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.2" + Task = "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.3" + Task = "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.4" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\privatefw.log"; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.5" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.6" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.2.7" + Task = "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Private" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.1" + Task = "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "EnableFirewall" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.2" + Task = "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DefaultInboundAction" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.3" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "DisableNotifications" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.4" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.5" + Task = "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + $key = "AllowLocalIPsecPolicyMerge" + $expectedValue = 0; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.6" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFilePath" + $expectedValue = "%SystemRoot%\System32\logfiles\firewall\publicfw.log"; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.7" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogFileSize" + $expectedValue = 16384; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.8" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Public" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.3.9" + Task = "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging" ` + -Name "LogSuccessfulConnections" ` + | Select-Object -ExpandProperty "LogSuccessfulConnections" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.1" + Task = "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenCamera" ` + | Select-Object -ExpandProperty "NoLockScreenCamera" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.1.2" + Task = "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" ` + -Name "NoLockScreenSlideshow" ` + | Select-Object -ExpandProperty "NoLockScreenSlideshow" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.2.2" + Task = "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization" ` + -Name "AllowInputPersonalization" ` + | Select-Object -ExpandProperty "AllowInputPersonalization" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.1.3" + Task = "(L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "AllowOnlineTips" ` + | Select-Object -ExpandProperty "AllowOnlineTips" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.1" + Task = "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "LocalAccountTokenFilterPolicy" ` + | Select-Object -ExpandProperty "LocalAccountTokenFilterPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.2" + Task = "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.3" + Task = "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.4" + Task = "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config" ` + -Name "EnableCertPaddingCheck" ` + | Select-Object -ExpandProperty "EnableCertPaddingCheck" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.5" + Task = "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" ` + -Name "DisableExceptionChainValidation" ` + | Select-Object -ExpandProperty "DisableExceptionChainValidation" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.6" + Task = "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "NodeType" ` + | Select-Object -ExpandProperty "NodeType" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.4.7" + Task = "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.1" + Task = "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "AutoAdminLogon" ` + | Select-Object -ExpandProperty "AutoAdminLogon" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.2" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.3" + Task = "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "DisableIPSourceRouting" ` + | Select-Object -ExpandProperty "DisableIPSourceRouting" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.4" + Task = "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "EnableICMPRedirect" ` + | Select-Object -ExpandProperty "EnableICMPRedirect" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.5" + Task = "(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "KeepAliveTime" ` + | Select-Object -ExpandProperty "KeepAliveTime" + + if ($regValue -ne 300000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 300000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.6" + Task = "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters" ` + -Name "nonamereleaseondemand" ` + | Select-Object -ExpandProperty "nonamereleaseondemand" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.7" + Task = "(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "PerformRouterDiscovery" ` + | Select-Object -ExpandProperty "PerformRouterDiscovery" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.8" + Task = "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" ` + -Name "SafeDllSearchMode" ` + | Select-Object -ExpandProperty "SafeDllSearchMode" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.9" + Task = "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -Name "ScreenSaverGracePeriod" ` + | Select-Object -ExpandProperty "ScreenSaverGracePeriod" + + if ($regValue -notmatch "^[0-5]$") { + return @{ + Message = "Registry value is '$regValue'. Expected: Matching expression '^[0-5]$'" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.10" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.11" + Task = "(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ` + -Name "tcpmaxdataretransmissions" ` + | Select-Object -ExpandProperty "tcpmaxdataretransmissions" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.5.12" + Task = "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security" ` + -Name "WarningLevel" ` + | Select-Object -ExpandProperty "WarningLevel" + + if (($regValue -gt 90)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 90" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.1" + Task = "(L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMDNS" ` + | Select-Object -ExpandProperty "EnableMDNS" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.2" + Task = "(L1) Ensure 'Configure NetBIOS settings' is set to 2 - 'Enabled: Disable NetBIOS name resolution on public networks' or 0 - 'Enabled: Disable NetBIOS name resolution'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableNetBIOS" ` + | Select-Object -ExpandProperty "EnableNetBIOS" + + if (($regValue -ne 2) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2 or 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.3" + Task = "(L2) Ensure 'Turn off default IPv6 DNS Servers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "DisableIPv6DefaultDnsServers" ` + | Select-Object -ExpandProperty "DisableIPv6DefaultDnsServers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.4.4" + Task = "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" ` + -Name "EnableMulticast" ` + | Select-Object -ExpandProperty "EnableMulticast" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.5.1" + Task = "(L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableFontProviders" ` + | Select-Object -ExpandProperty "EnableFontProviders" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.1" + Task = "(L1) Ensure 'Audit client does not support encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditClientDoesNotSupportEncryption" ` + | Select-Object -ExpandProperty "AuditClientDoesNotSupportEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.2" + Task = "(L1) Ensure 'Audit client does not support signing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditClientDoesNotSupportSigning" ` + | Select-Object -ExpandProperty "AuditClientDoesNotSupportSigning" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.3" + Task = "(L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "AuditInsecureGuestLogon" ` + | Select-Object -ExpandProperty "AuditInsecureGuestLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.4" + Task = "(L1) Ensure 'Enable remote mailslots' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Bowser" ` + -Name "EnableMailslots" ` + | Select-Object -ExpandProperty "EnableMailslots" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.5" + Task = "(L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "MinSmb2Dialect" ` + | Select-Object -ExpandProperty "MinSmb2Dialect" + + if ($regValue -ne 785) { + return @{ + Message = "Registry value is '$regValue'. Expected: 785" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.7.6" + Task = "(L1) Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "InvalidAuthenticationDelayTimeInMs" ` + | Select-Object -ExpandProperty "InvalidAuthenticationDelayTimeInMs" + + if (($regValue -lt 2000)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 2000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.1" + Task = "(L1) Ensure 'Audit insecure guest logon' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditInsecureGuestLogon" ` + | Select-Object -ExpandProperty "AuditInsecureGuestLogon" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.2" + Task = "(L1) Ensure 'Audit server does not support encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditServerDoesNotSupportEncryption" ` + | Select-Object -ExpandProperty "AuditServerDoesNotSupportEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.3" + Task = "(L1) Ensure 'Audit server does not support signing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AuditServerDoesNotSupportSigning" ` + | Select-Object -ExpandProperty "AuditServerDoesNotSupportSigning" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.4" + Task = "(L1) Ensure 'Enable authentication rate limiter' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanServer" ` + -Name "EnableAuthRateLimiter" ` + | Select-Object -ExpandProperty "EnableAuthRateLimiter" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.5" + Task = "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "AllowInsecureGuestAuth" ` + | Select-Object -ExpandProperty "AllowInsecureGuestAuth" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.6" + Task = "(L1) Ensure 'Enable remote mailslots' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider" ` + -Name "EnableMailslots" ` + | Select-Object -ExpandProperty "EnableMailslots" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.7" + Task = "(L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "MinSmb2Dialect" ` + | Select-Object -ExpandProperty "MinSmb2Dialect" + + if ($regValue -ne 785) { + return @{ + Message = "Registry value is '$regValue'. Expected: 785" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.8.8" + Task = "(L1) Ensure 'Require Encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation" ` + -Name "RequireEncryption" ` + | Select-Object -ExpandProperty "RequireEncryption" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 A" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnDomain" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 B" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowLLTDIOOnPublicNet" ` + | Select-Object -ExpandProperty "AllowLLTDIOOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 C" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableLLTDIO" ` + | Select-Object -ExpandProperty "EnableLLTDIO" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.1 D" + Task = "(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitLLTDIOOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitLLTDIOOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 A" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Domain network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnDomain" ` + | Select-Object -ExpandProperty "AllowRspndrOnDomain" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 B" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Public network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "AllowRspndrOnPublicNet" ` + | Select-Object -ExpandProperty "AllowRspndrOnPublicNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 C" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "EnableRspndr" ` + | Select-Object -ExpandProperty "EnableRspndr" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.9.2 D" + Task = "(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Private network)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD" ` + -Name "ProhibitRspndrOnPrivateNet" ` + | Select-Object -ExpandProperty "ProhibitRspndrOnPrivateNet" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.10.2" + Task = "(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.2" + Task = "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_AllowNetBridge_NLA" ` + | Select-Object -ExpandProperty "NC_AllowNetBridge_NLA" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.3" + Task = "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_ShowSharedAccessUI" ` + | Select-Object -ExpandProperty "NC_ShowSharedAccessUI" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.11.4" + Task = "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections" ` + -Name "NC_StdDomainUserSetLocation" ` + | Select-Object -ExpandProperty "NC_StdDomainUserSetLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 A" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\NETLOGON" ` + | Select-Object -ExpandProperty "\\*\NETLOGON" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.14.1 B" + Task = "(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with `"Require Mutual Authentication`", `"Require Integrity`", and `"Require Privacy`" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths" ` + -Name "\\*\SYSVOL" ` + | Select-Object -ExpandProperty "\\*\SYSVOL" + + if ($regValue -eq $null) { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + $array = $regValue.Split(',') | ForEach-Object { $_.Trim() } + + $missingElements = @() + $elementsToCheck = @("RequireMutualAuthentication=1", "RequireIntegrity=1", "RequirePrivacy=1") + foreach ($element in $elementsToCheck) { + if ($array -notcontains $element) { + $missingElements += $element + } + } + + if ($missingElements.Length -gt 0) { + return @{ + Message = ($missingElements -join " and ") + " not configured correctly." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.19.2.1" + Task = "(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" ` + -Name "DisabledComponents" ` + | Select-Object -ExpandProperty "DisabledComponents" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 A" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "EnableRegistrars" ` + | Select-Object -ExpandProperty "EnableRegistrars" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 B" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableUPnPRegistrar" ` + | Select-Object -ExpandProperty "DisableUPnPRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 C" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableInBand802DOT11Registrar" ` + | Select-Object -ExpandProperty "DisableInBand802DOT11Registrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 D" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableFlashConfigRegistrar" ` + | Select-Object -ExpandProperty "DisableFlashConfigRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.1 E" + Task = "(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" ` + -Name "DisableWPDRegistrar" ` + | Select-Object -ExpandProperty "DisableWPDRegistrar" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.20.2" + Task = "(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI" ` + -Name "DisableWcnUi" ` + | Select-Object -ExpandProperty "DisableWcnUi" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.1" + Task = "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fMinimizeConnections" ` + | Select-Object -ExpandProperty "fMinimizeConnections" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.21.2" + Task = "(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" ` + -Name "fBlockNonDomain" ` + | Select-Object -ExpandProperty "fBlockNonDomain" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.1" + Task = "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RegisterSpoolerRemoteRpcEndPoint" ` + | Select-Object -ExpandProperty "RegisterSpoolerRemoteRpcEndPoint" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.2" + Task = "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "RedirectionGuardPolicy" ` + | Select-Object -ExpandProperty "RedirectionGuardPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.3" + Task = "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcUseNamedPipeProtocol" ` + | Select-Object -ExpandProperty "RpcUseNamedPipeProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.4" + Task = "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcAuthentication" ` + | Select-Object -ExpandProperty "RpcAuthentication" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.5" + Task = "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcProtocols" ` + | Select-Object -ExpandProperty "RpcProtocols" + + if ($regValue -ne 5) { + return @{ + Message = "Registry value is '$regValue'. Expected: 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.6" + Task = "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: 0 - Negotiate' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "ForceKerberosForRpc" ` + | Select-Object -ExpandProperty "ForceKerberosForRpc" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.7" + Task = "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC" ` + -Name "RpcTcpPort" ` + | Select-Object -ExpandProperty "RpcTcpPort" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.8" + Task = "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" ` + -Name "RpcAuthnLevelPrivacyEnabled" ` + | Select-Object -ExpandProperty "RpcAuthnLevelPrivacyEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.9" + Task = "(L2) Ensure 'Configure Windows protected print' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\WPP" ` + -Name "WindowsProtectedPrintGroupPolicyState" ` + | Select-Object -ExpandProperty "WindowsProtectedPrintGroupPolicyState" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.10" + Task = "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "RestrictDriverInstallationToAdministrators" ` + | Select-Object -ExpandProperty "RestrictDriverInstallationToAdministrators" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.11" + Task = "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "CopyFilesPolicy" ` + | Select-Object -ExpandProperty "CopyFilesPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.12" + Task = "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.7.13" + Task = "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.8.1.1" + Task = "(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoCloudApplicationNotification" ` + | Select-Object -ExpandProperty "NoCloudApplicationNotification" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.3.1" + Task = "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` + -Name "ProcessCreationIncludeCmdLine_Enabled" ` + | Select-Object -ExpandProperty "ProcessCreationIncludeCmdLine_Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.1" + Task = "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" ` + -Name "AllowEncryptionOracle" ` + | Select-Object -ExpandProperty "AllowEncryptionOracle" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.4.2" + Task = "(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation" ` + -Name "AllowProtectedCreds" ` + | Select-Object -ExpandProperty "AllowProtectedCreds" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.1" + Task = "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "EnableVirtualizationBasedSecurity" ` + | Select-Object -ExpandProperty "EnableVirtualizationBasedSecurity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.2" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 1 - 'Secure Boot' or 3 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "RequirePlatformSecurityFeatures" ` + | Select-Object -ExpandProperty "RequirePlatformSecurityFeatures" + + if (($regValue -ne 1) -and ($regValue -ne 3)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.3" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HypervisorEnforcedCodeIntegrity" ` + | Select-Object -ExpandProperty "HypervisorEnforcedCodeIntegrity" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.4" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "HVCIMATRequired" ` + | Select-Object -ExpandProperty "HVCIMATRequired" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.5" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.6" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "LsaCfgFlags" ` + | Select-Object -ExpandProperty "LsaCfgFlags" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.5.7" + Task = "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" ` + -Name "ConfigureSystemGuardLaunch" ` + | Select-Object -ExpandProperty "ConfigureSystemGuardLaunch" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.7.2" + Task = "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" ` + -Name "PreventDeviceMetadataFromNetwork" ` + | Select-Object -ExpandProperty "PreventDeviceMetadataFromNetwork" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.13.1" + Task = "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch" ` + -Name "DriverLoadPolicy" ` + | Select-Object -ExpandProperty "DriverLoadPolicy" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.2" + Task = "(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.3" + Task = "(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.4" + Task = "(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoBackgroundPolicy" ` + | Select-Object -ExpandProperty "NoBackgroundPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.5" + Task = "(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" ` + -Name "NoGPOListChanges" ` + | Select-Object -ExpandProperty "NoGPOListChanges" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.6" + Task = "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableCdp" ` + | Select-Object -ExpandProperty "EnableCdp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.19.7" + Task = "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableBkGndGroupPolicy" ` + | Select-Object -ExpandProperty "DisableBkGndGroupPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.1" + Task = "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableWebPnPDownload" ` + | Select-Object -ExpandProperty "DisableWebPnPDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.2" + Task = "(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC" ` + -Name "PreventHandwritingDataSharing" ` + | Select-Object -ExpandProperty "PreventHandwritingDataSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.3" + Task = "(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" ` + -Name "PreventHandwritingErrorReports" ` + | Select-Object -ExpandProperty "PreventHandwritingErrorReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.4" + Task = "(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard" ` + -Name "ExitOnMSICW" ` + | Select-Object -ExpandProperty "ExitOnMSICW" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.5" + Task = "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoWebServices" ` + | Select-Object -ExpandProperty "NoWebServices" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.6" + Task = "(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers" ` + -Name "DisableHTTPPrinting" ` + | Select-Object -ExpandProperty "DisableHTTPPrinting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.7" + Task = "(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control" ` + -Name "NoRegistration" ` + | Select-Object -ExpandProperty "NoRegistration" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.8" + Task = "(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion" ` + -Name "DisableContentFileUpdates" ` + | Select-Object -ExpandProperty "DisableContentFileUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.9" + Task = "(L2) Ensure 'Turn off the `"Order Prints`" picture task' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoOnlinePrintsWizard" ` + | Select-Object -ExpandProperty "NoOnlinePrintsWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.10" + Task = "(L2) Ensure 'Turn off the `"Publish to Web`" task for files and folders' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoPublishingWizard" ` + | Select-Object -ExpandProperty "NoPublishingWizard" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.11" + Task = "(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client" ` + -Name "CEIP" ` + | Select-Object -ExpandProperty "CEIP" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.12" + Task = "(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows" ` + -Name "CEIPEnable" ` + | Select-Object -ExpandProperty "CEIPEnable" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 A" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" ` + -Name "Disabled" ` + | Select-Object -ExpandProperty "Disabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.20.1.13 B" + Task = "(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" ` + -Name "DoReport" ` + | Select-Object -ExpandProperty "DoReport" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 A" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitBehavior" ` + | Select-Object -ExpandProperty "DevicePKInitBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.23.1 B" + Task = "(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters" ` + -Name "DevicePKInitEnabled" ` + | Select-Object -ExpandProperty "DevicePKInitEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.24.1" + Task = "(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" ` + -Name "DeviceEnumerationPolicy" ` + | Select-Object -ExpandProperty "DeviceEnumerationPolicy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.1" + Task = "(L1) Ensure 'Configure password backup directory' is set to 2 - 'Enabled: Active Directory' or 1 - 'Enabled: Azure Active Directory'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "BackupDirectory" ` + | Select-Object -ExpandProperty "BackupDirectory" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.2" + Task = "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PwdExpirationProtectionEnabled" ` + | Select-Object -ExpandProperty "PwdExpirationProtectionEnabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.3" + Task = "(L1) Ensure 'Enable password encryption' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "ADPasswordEncryptionEnabled" ` + | Select-Object -ExpandProperty "ADPasswordEncryptionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.4" + Task = "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordComplexity" ` + | Select-Object -ExpandProperty "PasswordComplexity" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.5" + Task = "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordLength" ` + | Select-Object -ExpandProperty "PasswordLength" + + if ($regValue -lt 15) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 15" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.6" + Task = "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PasswordAgeDays" ` + | Select-Object -ExpandProperty "PasswordAgeDays" + + if ($regValue -gt 30 -or $regValue -lt 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 30 and x >= 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.7" + Task = "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationResetDelay" ` + | Select-Object -ExpandProperty "PostAuthenticationResetDelay" + + if (($regValue -gt 8 -or $regValue -le 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 8 and x > 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.25.8" + Task = "(L1) Ensure 'Post-authentication actions: Actions' is set to 3 - 'Enabled: Reset the password and logoff the managed account' or 5 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS" ` + -Name "PostAuthenticationActions" ` + | Select-Object -ExpandProperty "PostAuthenticationActions" + + if (($regValue -ne 3) -and ($regValue -ne 5)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3 or 5" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.1" + Task = "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCustomSSPsAPs" ` + | Select-Object -ExpandProperty "AllowCustomSSPsAPs" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.26.2" + Task = "(NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" ` + -Name "RunAsPPL" ` + | Select-Object -ExpandProperty "RunAsPPL" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.27.1" + Task = "(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International" ` + -Name "BlockUserInputMethodsForSignIn" ` + | Select-Object -ExpandProperty "BlockUserInputMethodsForSignIn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.1" + Task = "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockUserFromShowingAccountDetailsOnSignin" ` + | Select-Object -ExpandProperty "BlockUserFromShowingAccountDetailsOnSignin" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.2" + Task = "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontDisplayNetworkSelectionUI" ` + | Select-Object -ExpandProperty "DontDisplayNetworkSelectionUI" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.3" + Task = "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DontEnumerateConnectedUsers" ` + | Select-Object -ExpandProperty "DontEnumerateConnectedUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.4" + Task = "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnumerateLocalUsers" ` + | Select-Object -ExpandProperty "EnumerateLocalUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.5" + Task = "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "DisableLockScreenAppNotifications" ` + | Select-Object -ExpandProperty "DisableLockScreenAppNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.6" + Task = "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "BlockDomainPicturePassword" ` + | Select-Object -ExpandProperty "BlockDomainPicturePassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.28.7" + Task = "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowDomainPINLogon" ` + | Select-Object -ExpandProperty "AllowDomainPINLogon" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.30.1.1" + Task = "(L1) Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters" ` + -Name "BlockNetbiosDiscovery" ` + | Select-Object -ExpandProperty "BlockNetbiosDiscovery" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.1" + Task = "(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "AllowCrossDeviceClipboard" ` + | Select-Object -ExpandProperty "AllowCrossDeviceClipboard" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.31.2" + Task = "(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "UploadUserActivities" ` + | Select-Object -ExpandProperty "UploadUserActivities" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.1" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.2" + Task = "(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.3" + Task = "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "DCSettingIndex" ` + | Select-Object -ExpandProperty "DCSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.33.6.4" + Task = "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51" ` + -Name "ACSettingIndex" ` + | Select-Object -ExpandProperty "ACSettingIndex" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.1" + Task = "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowUnsolicited" ` + | Select-Object -ExpandProperty "fAllowUnsolicited" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.35.2" + Task = "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fAllowToGetHelp" ` + | Select-Object -ExpandProperty "fAllowToGetHelp" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.1" + Task = "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "EnableAuthEpResolution" ` + | Select-Object -ExpandProperty "EnableAuthEpResolution" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.36.2" + Task = "(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" ` + -Name "RestrictRemoteClients" ` + | Select-Object -ExpandProperty "RestrictRemoteClients" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.1" + Task = "(L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 1 - 'Enabled: Audit' or 2 - higher (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM" ` + -Name "SamNGCKeyROCAValidation" ` + | Select-Object -ExpandProperty "SamNGCKeyROCAValidation" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.2" + Task = "(L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Allow strong encryption change password RPC method only' (DC only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM" ` + -Name "SamrChangeUserPasswordApiPolicy" ` + | Select-Object -ExpandProperty "SamrChangeUserPasswordApiPolicy" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.39.3" + Task = "(L1) Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods' (MS only)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM" ` + -Name "SamrChangeUserPasswordApiPolicy" ` + | Select-Object -ExpandProperty "SamrChangeUserPasswordApiPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1" + Task = "(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" ` + -Name "DisableQueryRemoteServer" ` + | Select-Object -ExpandProperty "DisableQueryRemoteServer" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.11.1" + Task = "(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" ` + -Name "ScenarioExecutionEnabled" ` + | Select-Object -ExpandProperty "ScenarioExecutionEnabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.49.1" + Task = "(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" ` + -Name "DisabledByGroupPolicy" ` + | Select-Object -ExpandProperty "DisabledByGroupPolicy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.1" + Task = "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.51.1.2" + Task = "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.1" + Task = "(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager" ` + -Name "AllowSharedLocalAppData" ` + | Select-Object -ExpandProperty "AllowSharedLocalAppData" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.4.2" + Task = "(L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx" ` + -Name "DisablePerUserUnsignedPackagesByDefault" ` + | Select-Object -ExpandProperty "DisablePerUserUnsignedPackagesByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.6.1" + Task = "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "MSAOptional" ` + | Select-Object -ExpandProperty "MSAOptional" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.1" + Task = "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoAutoplayfornonVolume" ` + | Select-Object -ExpandProperty "NoAutoplayfornonVolume" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.2" + Task = "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoAutorun" ` + | Select-Object -ExpandProperty "NoAutorun" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.8.3" + Task = "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoDriveTypeAutoRun" ` + | Select-Object -ExpandProperty "NoDriveTypeAutoRun" + + if ($regValue -ne 255) { + return @{ + Message = "Registry value is '$regValue'. Expected: 255" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.9.1.1" + Task = "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures" ` + -Name "EnhancedAntiSpoofing" ` + | Select-Object -ExpandProperty "EnhancedAntiSpoofing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.11.1" + Task = "(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera" ` + -Name "AllowCamera" ` + | Select-Object -ExpandProperty "AllowCamera" + + if ($regValue -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" ` + -Name "Value" ` + | Select-Object -ExpandProperty "Value" + + if ($regValue -match "Deny") { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Camera is not deactivated." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "18.10.13.1" + Task = "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableConsumerAccountStateContent" ` + | Select-Object -ExpandProperty "DisableConsumerAccountStateContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.2" + Task = "(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableCloudOptimizedContent" ` + | Select-Object -ExpandProperty "DisableCloudOptimizedContent" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.13.3" + Task = "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsConsumerFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsConsumerFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.14.1" + Task = "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect" ` + -Name "RequirePinForPairing" ` + | Select-Object -ExpandProperty "RequirePinForPairing" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.1" + Task = "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI" ` + -Name "DisablePasswordReveal" ` + | Select-Object -ExpandProperty "DisablePasswordReveal" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.15.2" + Task = "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI" ` + -Name "EnumerateAdministrators" ` + | Select-Object -ExpandProperty "EnumerateAdministrators" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.1" + Task = "(L1) Ensure 'Allow Diagnostic Data' is set to '0 - Enabled: Diagnostic data off (not recommended)' or '1 - Enabled: Send required diagnostic data'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "AllowTelemetry" ` + | Select-Object -ExpandProperty "AllowTelemetry" + + if (($regValue -ne 0) -and ($regValue -ne 1)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0 or x 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.2" + Task = "(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableEnterpriseAuthProxy" ` + | Select-Object -ExpandProperty "DisableEnterpriseAuthProxy" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.3" + Task = "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DisableOneSettingsDownloads" ` + | Select-Object -ExpandProperty "DisableOneSettingsDownloads" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.4" + Task = "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "DoNotShowFeedbackNotifications" ` + | Select-Object -ExpandProperty "DoNotShowFeedbackNotifications" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.5" + Task = "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "EnableOneSettingsAuditing" ` + | Select-Object -ExpandProperty "EnableOneSettingsAuditing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.6" + Task = "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDiagnosticLogCollection" ` + | Select-Object -ExpandProperty "LimitDiagnosticLogCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.7" + Task = "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" ` + -Name "LimitDumpCollection" ` + | Select-Object -ExpandProperty "LimitDumpCollection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.16.8" + Task = "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" ` + -Name "AllowBuildPreview" ` + | Select-Object -ExpandProperty "AllowBuildPreview" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.1" + Task = "(L2) Ensure 'Enable App Installer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableAppInstaller" ` + | Select-Object -ExpandProperty "EnableAppInstaller" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.2" + Task = "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableExperimentalFeatures" ` + | Select-Object -ExpandProperty "EnableExperimentalFeatures" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.3" + Task = "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableHashOverride" ` + | Select-Object -ExpandProperty "EnableHashOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.4" + Task = "(L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableLocalArchiveMalwareScanOverride" ` + | Select-Object -ExpandProperty "EnableLocalArchiveMalwareScanOverride" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.5" + Task = "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableMSAppInstallerProtocol" ` + | Select-Object -ExpandProperty "EnableMSAppInstallerProtocol" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.6" + Task = "(L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableBypassCertificatePinningForMicrosoftStore" ` + | Select-Object -ExpandProperty "EnableBypassCertificatePinningForMicrosoftStore" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.18.7" + Task = "(L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppInstaller" ` + -Name "EnableWindowsPackageManagerCommandLineInterfaces" ` + | Select-Object -ExpandProperty "EnableWindowsPackageManagerCommandLineInterfaces" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.1" + Task = "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.1.2" + Task = "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.1" + Task = "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.2.2" + Task = "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 196608)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 196608" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.1" + Task = "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.3.2" + Task = "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.1" + Task = "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "Retention" ` + | Select-Object -ExpandProperty "Retention" + + if ($regValue -ne "0") { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.26.4.2" + Task = "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" ` + -Name "MaxSize" ` + | Select-Object -ExpandProperty "MaxSize" + + if (($regValue -lt 32768)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 32768" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.2" + Task = "(L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "DisableMotWOnInsecurePathCopy" ` + | Select-Object -ExpandProperty "DisableMotWOnInsecurePathCopy" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.3" + Task = "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoDataExecutionPrevention" ` + | Select-Object -ExpandProperty "NoDataExecutionPrevention" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.4" + Task = "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" ` + -Name "NoHeapTerminationOnCorruption" ` + | Select-Object -ExpandProperty "NoHeapTerminationOnCorruption" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.29.5" + Task = "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "PreXPSP2ShellProtocolBehavior" ` + | Select-Object -ExpandProperty "PreXPSP2ShellProtocolBehavior" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.37.1" + Task = "(L2) Ensure 'Turn off location' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" ` + -Name "DisableLocation" ` + | Select-Object -ExpandProperty "DisableLocation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.41.1" + Task = "(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging" ` + -Name "AllowMessageSync" ` + | Select-Object -ExpandProperty "AllowMessageSync" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.42.1" + Task = "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount" ` + -Name "DisableUserAuth" ` + | Select-Object -ExpandProperty "DisableUserAuth" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.4.1" + Task = "(L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" ` + -Name "PassiveRemediation" ` + | Select-Object -ExpandProperty "PassiveRemediation" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.1" + Task = "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "LocalSettingOverrideSpynetReporting" ` + | Select-Object -ExpandProperty "LocalSettingOverrideSpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.5.2" + Task = "(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" ` + -Name "SpynetReporting" ` + | Select-Object -ExpandProperty "SpynetReporting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.1" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value = "ExploitGuard_ASR_Rules" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + $Value2 = "ExploitGuard_ASR_Rules" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 A" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 B" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 C" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block abuse of exploited vulnerable signed drivers'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 D" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 E" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 F" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 H" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 J" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 K" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 I" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 L" + Task = "(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.3.1" + Task = "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + Test = { + try { + if (-not $windefrunning) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" ` + -Name "EnableNetworkProtection" ` + | Select-Object -ExpandProperty "EnableNetworkProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.7.1" + Task = "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\NIS" ` + -Name "EnableConvertWarnToBlock" ` + | Select-Object -ExpandProperty "EnableConvertWarnToBlock" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.1" + Task = "(L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "OobeEnableRtpAndSigUpdate" ` + | Select-Object -ExpandProperty "OobeEnableRtpAndSigUpdate" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.2" + Task = "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableIOAVProtection" ` + | Select-Object -ExpandProperty "DisableIOAVProtection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant" + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.3" + Task = "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.4" + Task = "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableBehaviorMonitoring" ` + | Select-Object -ExpandProperty "DisableBehaviorMonitoring" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.10.5" + Task = "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableScriptScanning" ` + | Select-Object -ExpandProperty "DisableScriptScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.1.1" + Task = "(L2) Ensure 'Configure Brute-Force Protection aggressiveness' is set to 1 - 'Enabled: Medium' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection" ` + -Name "BruteForceProtectionAggressiveness" ` + | Select-Object -ExpandProperty "BruteForceProtectionAggressiveness" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.1.2" + Task = "(L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 2 - 'Enabled: Audit' or 1 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Brute Force Protection" ` + -Name "BruteForceProtectionConfiguredState" ` + | Select-Object -ExpandProperty "BruteForceProtectionConfiguredState" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.11.1.2.1" + Task = "(L2) Ensure 'Configure how aggressively Remote Encryption Protection blocks threats' is set to 1 - 'Enabled: Medium' or 2 - higher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation\Behavioral Network Blocks\Remote Encryption Protection" ` + -Name "RemoteEncryptionProtectionAggressiveness" ` + | Select-Object -ExpandProperty "RemoteEncryptionProtectionAggressiveness" + + if (($regValue -ne 1) -and ($regValue -ne 2)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.12.1" + Task = "(L2) Ensure 'Configure Watson events' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" ` + -Name "DisableGenericReports" ` + | Select-Object -ExpandProperty "DisableGenericReports" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.1" + Task = "(L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "QuickScanIncludeExclusions" ` + | Select-Object -ExpandProperty "QuickScanIncludeExclusions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.2" + Task = "(L1) Ensure 'Scan packed executables' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisablePackedExeScanning" ` + | Select-Object -ExpandProperty "DisablePackedExeScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.3" + Task = "(L1) Ensure 'Scan removable drives' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableRemovableDriveScanning" ` + | Select-Object -ExpandProperty "DisableRemovableDriveScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.4" + Task = "(L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DaysUntilAggressiveCatchupQuickScan" ` + | Select-Object -ExpandProperty "DaysUntilAggressiveCatchupQuickScan" + + if ($regValue -ne 7) { + return @{ + Message = "Registry value is '$regValue'. Expected: 7" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.13.5" + Task = "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" ` + -Name "DisableEmailScanning" ` + | Select-Object -ExpandProperty "DisableEmailScanning" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.16" + Task = "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "PUAProtection" ` + | Select-Object -ExpandProperty "PUAProtection" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.17" + Task = "(L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" ` + -Name "HideExclusionsFromLocalUsers" ` + | Select-Object -ExpandProperty "HideExclusionsFromLocalUsers" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.51.1" + Task = "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive" ` + -Name "DisableFileSyncNGSC" ` + | Select-Object -ExpandProperty "DisableFileSyncNGSC" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.56.1" + Task = "(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall" ` + -Name "DisablePushToInstall" ` + | Select-Object -ExpandProperty "DisablePushToInstall" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.2.2" + Task = "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DisablePasswordSaving" ` + | Select-Object -ExpandProperty "DisablePasswordSaving" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.2.1" + Task = "(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fSingleSessionPerUser" ` + | Select-Object -ExpandProperty "fSingleSessionPerUser" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.1" + Task = "(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "EnableUiaRedirection" ` + | Select-Object -ExpandProperty "EnableUiaRedirection" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.2" + Task = "(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCcm" ` + | Select-Object -ExpandProperty "fDisableCcm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.3" + Task = "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableCdm" ` + | Select-Object -ExpandProperty "fDisableCdm" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.4" + Task = "(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLocationRedir" ` + | Select-Object -ExpandProperty "fDisableLocationRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.5" + Task = "(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableLPT" ` + | Select-Object -ExpandProperty "fDisableLPT" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.6" + Task = "(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisablePNPRedir" ` + | Select-Object -ExpandProperty "fDisablePNPRedir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.7" + Task = "(L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fDisableWebAuthn" ` + | Select-Object -ExpandProperty "fDisableWebAuthn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.3.8" + Task = "(L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SCClipLevel" ` + | Select-Object -ExpandProperty "SCClipLevel" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.1" + Task = "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fPromptForPassword" ` + | Select-Object -ExpandProperty "fPromptForPassword" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.2" + Task = "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "fEncryptRPCTraffic" ` + | Select-Object -ExpandProperty "fEncryptRPCTraffic" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.3" + Task = "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "SecurityLayer" ` + | Select-Object -ExpandProperty "SecurityLayer" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.4" + Task = "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "UserAuthentication" ` + | Select-Object -ExpandProperty "UserAuthentication" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.9.5" + Task = "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MinEncryptionLevel" ` + | Select-Object -ExpandProperty "MinEncryptionLevel" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.1" + Task = "(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.10.2" + Task = "(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.1" + Task = "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "DeleteTempDirsOnExit" ` + | Select-Object -ExpandProperty "DeleteTempDirsOnExit" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.57.3.11.2" + Task = "(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "PerSessionTempDir" ` + | Select-Object -ExpandProperty "PerSessionTempDir" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.1" + Task = "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "DisableEnclosureDownload" ` + | Select-Object -ExpandProperty "DisableEnclosureDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.58.2" + Task = "(L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds" ` + -Name "AllowBasicAuthInClear" ` + | Select-Object -ExpandProperty "AllowBasicAuthInClear" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.2" + Task = "(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowCloudSearch" ` + | Select-Object -ExpandProperty "AllowCloudSearch" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Compliant. Registry value not found." + Status = "True" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Compliant. Registry key not found." + Status = "True" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.3" + Task = "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "AllowIndexingEncryptedStoresOrItems" ` + | Select-Object -ExpandProperty "AllowIndexingEncryptedStoresOrItems" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.59.4" + Task = "(L2) Ensure 'Allow search highlights' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" ` + -Name "EnableDynamicContentInWSB" ` + | Select-Object -ExpandProperty "EnableDynamicContentInWSB" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.63.1" + Task = "(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" ` + -Name "NoGenTicket" ` + | Select-Object -ExpandProperty "NoGenTicket" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 A" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "EnableSmartScreen" ` + | Select-Object -ExpandProperty "EnableSmartScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.76.2.1 B" + Task = "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" ` + -Name "ShellSmartScreenLevel" ` + | Select-Object -ExpandProperty "ShellSmartScreenLevel" + + if ($regValue -ne "Block") { + return @{ + Message = "Registry value is '$regValue'. Expected: Block" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.1" + Task = "(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowSuggestedAppsInWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowSuggestedAppsInWindowsInkWorkspace" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.80.2" + Task = "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace" ` + -Name "AllowWindowsInkWorkspace" ` + | Select-Object -ExpandProperty "AllowWindowsInkWorkspace" + + if (($regValue -ne 1) -and ($regValue -ne 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1 or x == 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.1" + Task = "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "EnableUserControl" ` + | Select-Object -ExpandProperty "EnableUserControl" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.2" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.81.3" + Task = "(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "SafeForScripting" ` + | Select-Object -ExpandProperty "SafeForScripting" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.1" + Task = "(L1) Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "EnableMPR" ` + | Select-Object -ExpandProperty "EnableMPR" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.82.2" + Task = "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` + -Name "DisableAutomaticRestartSignOn" ` + | Select-Object -ExpandProperty "DisableAutomaticRestartSignOn" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.1" + Task = "(L2) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" ` + -Name "EnableScriptBlockLogging" ` + | Select-Object -ExpandProperty "EnableScriptBlockLogging" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.87.2" + Task = "(L2) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" ` + -Name "EnableTranscripting" ` + | Select-Object -ExpandProperty "EnableTranscripting" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.2" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.1.3" + Task = "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" ` + -Name "AllowDigest" ` + | Select-Object -ExpandProperty "AllowDigest" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.1" + Task = "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowBasic" ` + | Select-Object -ExpandProperty "AllowBasic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.2" + Task = "(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowAutoConfig" ` + | Select-Object -ExpandProperty "AllowAutoConfig" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.3" + Task = "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "AllowUnencryptedTraffic" ` + | Select-Object -ExpandProperty "AllowUnencryptedTraffic" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.89.2.4" + Task = "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Service)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" ` + -Name "DisableRunAs" ` + | Select-Object -ExpandProperty "DisableRunAs" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.90.1" + Task = "(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS" ` + -Name "AllowRemoteShellAccess" ` + | Select-Object -ExpandProperty "AllowRemoteShellAccess" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.92.2.1" + Task = "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" ` + -Name "DisallowExploitProtectionOverride" ` + | Select-Object -ExpandProperty "DisallowExploitProtectionOverride" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.1.1" + Task = "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoRebootWithLoggedOnUsers" ` + | Select-Object -ExpandProperty "NoAutoRebootWithLoggedOnUsers" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.1" + Task = "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "NoAutoUpdate" ` + | Select-Object -ExpandProperty "NoAutoUpdate" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.2.2" + Task = "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" ` + -Name "ScheduledInstallDay" ` + | Select-Object -ExpandProperty "ScheduledInstallDay" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.1" + Task = "(L1) Ensure 'Manage preview builds' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "ManagePreviewBuildsPolicyValue" ` + | Select-Object -ExpandProperty "ManagePreviewBuildsPolicyValue" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 A" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdates" ` + | Select-Object -ExpandProperty "DeferFeatureUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.2 B" + Task = "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' (DeferFeatureUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferFeatureUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferFeatureUpdatesPeriodInDays" + + if (($regValue -lt 180 -or $regValue -gt 365)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x >= 180 and x <= 365" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 A" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdates" ` + | Select-Object -ExpandProperty "DeferQualityUpdates" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.93.4.3 B" + Task = "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" ` + -Name "DeferQualityUpdatesPeriodInDays" ` + | Select-Object -ExpandProperty "DeferQualityUpdatesPeriodInDays" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.5.1.1" + Task = "(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" ` + -Name "NoToastApplicationNotificationOnLockScreen" ` + | Select-Object -ExpandProperty "NoToastApplicationNotificationOnLockScreen" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.6.6.1.1" + Task = "(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" ` + -Name "NoImplicitFeedback" ` + | Select-Object -ExpandProperty "NoImplicitFeedback" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.1" + Task = "(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "SaveZoneInformation" ` + | Select-Object -ExpandProperty "SaveZoneInformation" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.5.2" + Task = "(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" ` + -Name "ScanWithAntiVirus" ` + | Select-Object -ExpandProperty "ScanWithAntiVirus" + + if ($regValue -ne 3) { + return @{ + Message = "Registry value is '$regValue'. Expected: 3" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.1" + Task = "(L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "ConfigureWindowsSpotlight" ` + | Select-Object -ExpandProperty "ConfigureWindowsSpotlight" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.2" + Task = "(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableThirdPartySuggestions" ` + | Select-Object -ExpandProperty "DisableThirdPartySuggestions" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.3" + Task = "(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableTailoredExperiencesWithDiagnosticData" ` + | Select-Object -ExpandProperty "DisableTailoredExperiencesWithDiagnosticData" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.4" + Task = "(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableWindowsSpotlightFeatures" ` + | Select-Object -ExpandProperty "DisableWindowsSpotlightFeatures" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.8.5" + Task = "(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent" ` + -Name "DisableSpotlightCollectionOnDesktop" ` + | Select-Object -ExpandProperty "DisableSpotlightCollectionOnDesktop" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.26.1" + Task = "(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" ` + -Name "NoInplaceSharing" ` + | Select-Object -ExpandProperty "NoInplaceSharing" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.44.1" + Task = "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" ` + -Name "AlwaysInstallElevated" ` + | Select-Object -ExpandProperty "AlwaysInstallElevated" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "19.7.46.2.1" + Task = "(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer" ` + -Name "PreventCodecDownload" ` + | Select-Object -ExpandProperty "PreventCodecDownload" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#SecurityOptions.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#SecurityOptions.ps1 new file mode 100644 index 0000000..89e9339 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#SecurityOptions.ps1 @@ -0,0 +1,133 @@ +[AuditTest] @{ + Id = "2.3.1.1" + Task = "(L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["EnableGuestAccount"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'EnableGuestAccount' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.3" + Task = "(L1) Configure 'Accounts: Rename administrator account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewAdministratorName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$") { + return @{ + Message = "'NewAdministratorName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Administrator)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1.4" + Task = "(L1) Configure 'Accounts: Rename guest account'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["NewGuestName"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -notmatch "^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$") { + return @{ + Message = "'NewGuestName' currently set to: $setOption. Expected: ^(?=.{1,20}$)(?i)(?!.*\b(?:Guest|Gast)\b).*$" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.10.1" + Task = "(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["LSAAnonymousNameLookup"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 0) { + return @{ + Message = "'LSAAnonymousNameLookup' currently set to: $setOption. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.6" + Task = "(L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + Test = { + $securityOption = Get-AuditResource "WindowsSecurityPolicy" + $setOption = $securityOption['System Access']["ForceLogoffWhenHourExpire"] + + if ($null -eq $setOption) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + if ($setOption -ne 1) { + return @{ + Message = "'ForceLogoffWhenHourExpire' currently set to: $setOption. Expected: 1" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#UserRights.ps1 b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#UserRights.ps1 new file mode 100644 index 0000000..4853eac --- /dev/null +++ b/ATAPAuditor/AuditGroups/Microsoft Windows Server 2025-CIS-1.0.0#UserRights.ps1 @@ -0,0 +1,1987 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$hyperVStatus = CheckHyperVStatus +# Common +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Convert Domaingroups to german + $language = Get-UICulture + if ($language.Name -match "de-DE") { + if ($name -eq "Enterprise Admins") { + $name = "Organisations-Admins" + } + elseif ($name -eq "Domain Admins") { + $name = "Domänen-Admins" + } + } + + # Convert friendlynames to SID + $map = @{ + "Administrators" = "S-1-5-32-544" + "Guests" = "S-1-5-32-546" + "Local account" = "S-1-5-113" + "Local Service" = "S-1-5-19" + "Network Service" = "S-1-5-20" + "NT AUTHORITY\Authenticated Users" = "S-1-5-11" + "Remote Desktop Users" = "S-1-5-32-555" + "Service" = "S-1-5-6" + "Users" = "S-1-5-32-545" + "NT VIRTUAL MACHINE\Virtual Machines" = "S-1-5-83-0" + } + + if ($map.ContainsKey($name)) { + $name = $map[$name] + } + + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "S-1-5-83-0" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + if ($sidAccount.Translate([System.Security.Principal.NTAccount]) -eq "NULL SID") { + return @{ + Account = $null + Sid = $sidAccount.Value + } + } + else { + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + } + catch { + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} + +# Tests +[AuditTest] @{ + Id = "2.2.1" + Task = "(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTrustedCredManAccessPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTrustedCredManAccessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-11" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeNetworkLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "(L1) Ensure 'Act as part of the operating system' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTcbPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTcbPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTcbPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeMachineAccountPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeMachineAccountPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeMachineAccountPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseQuotaPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseQuotaPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.7" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-9" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.8" + Task = "(L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.9" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.10" + Task = "(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-32-555" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.11" + Task = "(L1) Ensure 'Back up files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBackupPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBackupPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBackupPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.12" + Task = "(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemtimePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-19" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemtimePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemtimePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.13" + Task = "(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTimeZonePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTimeZonePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTimeZonePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.14" + Task = "(L1) Ensure 'Create a pagefile' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePagefilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePagefilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePagefilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.15" + Task = "(L1) Ensure 'Create a token object' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateTokenPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.16" + Task = "(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateGlobalPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateGlobalPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateGlobalPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.17" + Task = "(L1) Ensure 'Create permanent shared objects' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreatePermanentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreatePermanentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreatePermanentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.18" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ($hyperVStatus -ne "Enabled") { + [AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators [Hyper-V-Feature NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else { + [AuditTest] @{ + Id = "2.2.19" + Task = "(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeCreateSymbolicLinkPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-83-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.20" + Task = "(L1) Ensure 'Debug programs' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDebugPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + + if ($unexpectedUsers.Count -gt 0) { + $messages = @() + $messages += "The user right 'SeDebugPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + $message = $messages -join [System.Environment]::NewLine + return @{ + Status = "False" + Message = $message + } + } + #No UserRights on System comparing to publisher recommendation + if ($null -eq $currentUserRights -and $identityAccounts.Count -gt 0) { + return @{ + Status = "True" + Message = "Compliant - No UserRights are assigned to this policy. This configuration is even more secure than publisher recommendation." + } + } + #Less UserRights on System comparing to publisher recommendation + if ($currentUserRights.Count -lt $identityAccounts.Count) { + $users = "" + foreach ($currentUser in $currentUserRights) { + $users += $currentUser.Values + } + return @{ + Status = "True" + Message = "Compliant - Positive Deviation to publisher. Less UserRights are assigned to this policy than expected: $($users)" + } + } + #Same UserRights on System comparing to publisher recommendation + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.21" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.22" + Task = "(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyNetworkLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-114" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyNetworkLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.23" + Task = "(L1) Ensure 'Deny log on as a batch job' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.24" + Task = "(L1) Ensure 'Deny log on as a service' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyServiceLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyServiceLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.25" + Task = "(L1) Ensure 'Deny log on locally' to include 'Guests'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.26" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.27" + Task = "(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] + $identityAccounts = @( + "S-1-5-32-546" + "S-1-5-113" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($missingUsers.Count -gt 0)) { + $messages = @() + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.28" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.29" + Task = "(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeEnableDelegationPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeEnableDelegationPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeEnableDelegationPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.30" + Task = "(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRemoteShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRemoteShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRemoteShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +$adfsModule = Get-Module -Name ADFS +if ($null -eq $adfsModule) { + [AuditTest] @{ + Id = "2.2.31 " + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else { + [AuditTest] @{ + Id = "2.2.31" + Task = "(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE installed]" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAuditPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016" + "S-1-5-80-2246541699-21809830-3603976364-117610243-975697593" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAuditPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAuditPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.32" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +if ((Get-WindowsFeature -Name web-server).installed -ne $true) { + [AuditTest] @{ + Id = "2.2.33 A" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +else { + [AuditTest] @{ + Id = "2.2.33 B" + Task = "(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' [IIS Role installed] (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeImpersonatePrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + "S-1-5-32-544" + "S-1-5-32-568" + "S-1-5-6" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeImpersonatePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeImpersonatePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +[AuditTest] @{ + Id = "2.2.34" + Task = "(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeIncreaseBasePriorityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-90-0" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeIncreaseBasePriorityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.35" + Task = "(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLoadDriverPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLoadDriverPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLoadDriverPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.36" + Task = "(L1) Ensure 'Lock pages in memory' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeLockMemoryPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeLockMemoryPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeLockMemoryPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.37" + Task = "(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeBatchLogonRight"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeBatchLogonRight' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeBatchLogonRight' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.38" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.39" + Task = "(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.40" + Task = "(L1) Ensure 'Modify an object label' is set to 'No One'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRelabelPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRelabelPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRelabelPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.41" + Task = "(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemEnvironmentPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemEnvironmentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemEnvironmentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.42" + Task = "(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeManageVolumePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeManageVolumePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeManageVolumePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.43" + Task = "(L1) Ensure 'Profile single process' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeProfileSingleProcessPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeProfileSingleProcessPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeProfileSingleProcessPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.44" + Task = "(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSystemProfilePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSystemProfilePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSystemProfilePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.45" + Task = "(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeAssignPrimaryTokenPrivilege"] + $identityAccounts = @( + "S-1-5-19" + "S-1-5-20" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeAssignPrimaryTokenPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.46" + Task = "(L1) Ensure 'Restore files and directories' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeRestorePrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeRestorePrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeRestorePrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.47" + Task = "(L1) Ensure 'Shut down the system' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeShutdownPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeShutdownPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeShutdownPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.48" + Task = "(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSyncAgentPrivilege"] + $identityAccounts = @( + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSyncAgentPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSyncAgentPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} +[AuditTest] @{ + Id = "2.2.49" + Task = "(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeTakeOwnershipPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeTakeOwnershipPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeTakeOwnershipPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } +} diff --git a/ATAPAuditor/AuditGroups/RSSeverityTests.ps1 b/ATAPAuditor/AuditGroups/RSSeverityTests.ps1 new file mode 100644 index 0000000..d865c80 --- /dev/null +++ b/ATAPAuditor/AuditGroups/RSSeverityTests.ps1 @@ -0,0 +1,2509 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$windefrunning = CheckWindefRunning +. "$RootPath\Helpers\Firewall.ps1" +$domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole +$listOfWeakCipherSuites = getListOfWeakCipherSuites +$listOfInsecureCipherSuites = getListOfInsecureCipherSuites +[AuditTest] @{ + Id = "1.1.7" + Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $setPolicy = $securityPolicy['System Access']["ClearTextPassword"] + + if ($null -eq $setPolicy) { + return @{ + Message = "Currently not set." + Status = "False" + } + } + $setPolicy = [long]$setPolicy + + if ($setPolicy -ne 0) { + return @{ + Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +if ($domainRole -eq 3) { + [AuditTest] @{ + Id = "2.2.38" + Task = "Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Server" } + ) + Test = { + $securityPolicy = Get-AuditResource "WindowsSecurityPolicy" + $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"] + $identityAccounts = @( + "S-1-5-32-544" + ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ } + + $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account } + $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account } + + if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) { + $messages = @() + if ($unexpectedUsers.Count -gt 0) { + $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ") + } + if ($missingUsers.Count -gt 0) { + $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ") + } + $message = $messages -join [System.Environment]::NewLine + + return @{ + Status = "False" + Message = $message + } + } + + return @{ + Status = "True" + Message = "Compliant" + } + } + } +} +if ($domainRole -ge 4) { + [AuditTest] @{ + Id = "2.3.5.2" + Task = "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" ` + -Name "LDAPServerIntegrity" ` + | Select-Object -ExpandProperty "LDAPServerIntegrity" + + if ($regValue -ne 2) { + return @{ + Message = "Registry value is '$regValue'. Expected: 2" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } + } +} +[AuditTest] @{ + Id = "2.3.11.4" + Task = "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" ` + -Name "SupportedEncryptionTypes" ` + | Select-Object -ExpandProperty "SupportedEncryptionTypes" + + if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.11.5" + Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" ` + -Name "NoLMHash" ` + | Select-Object -ExpandProperty "NoLMHash" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "9.1.7" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogDroppedPackets" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} +[AuditTest] @{ + Id = "9.1.8" + Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller" } + ) + Test = { + $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging" + $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" + $key = "LogSuccessfulConnections" + $expectedValue = 1; + $profileType = "Domain" + $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType + return @{ + Message = $($result.Message) + Status = $($result.Status) + } + } +} + + + +[AuditTest] @{ + Id = "18.3.3" + Task = "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" ` + -Name "Start" ` + | Select-Object -ExpandProperty "Start" + + if ($regValue -ne 4) { + return @{ + Message = "Registry value is '$regValue'. Expected: 4" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.3.3" + Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" ` + -Name "SMB1" ` + | Select-Object -ExpandProperty "SMB1" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} + + + +[AuditTest] @{ + Id = "18.3.6" + Task = "Ensure 'WDigest Authentication' is set to 'Disabled'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" ` + -Name "UseLogonCredential" ` + | Select-Object -ExpandProperty "UseLogonCredential" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} + +[AuditTest] @{ + Id = "18.6.2" + Task = "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "NoWarningNoElevationOnInstall" ` + | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.6.3" + Task = "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" ` + -Name "UpdatePromptSettings" ` + | Select-Object -ExpandProperty "UpdatePromptSettings" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.9.2" + Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" ` + -Name "DisableRealtimeMonitoring" ` + | Select-Object -ExpandProperty "DisableRealtimeMonitoring" + + if ($regValue -eq 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 A" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 B" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 C" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 D" + Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configured" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 E" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 F" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 G" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 H" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 I" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 J" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 K" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.47.5.1.2 L" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.10.43.6.1.2 M" + Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block abuse of exploited vulnerable signed drivers)" + Test = { + try { + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $regValue = 0; + $regValueTwo = 0; + $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest1 = Test-ASRRules -Path $Path -Value $Value + if ($asrTest1) { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path $Path ` + -Name $Value ` + | Select-Object -ExpandProperty $Value + } + + $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5" + + $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 + if ($asrTest2) { + $regValueTwo = Get-ItemProperty -ErrorAction Stop ` + -Path $Path2 ` + -Name $Value2 ` + | Select-Object -ExpandProperty $Value2 + } + + if ($regValue -ne 1 -and $regValueTwo -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.10.1" + Task = "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxIdleTime" ` + | Select-Object -ExpandProperty "MaxIdleTime" + + if (($regValue -gt 900000 -or $regValue -eq 0)) { + return @{ + Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "18.9.58.3.10.2" + Task = "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" ` + -Name "MaxDisconnectionTime" ` + | Select-Object -ExpandProperty "MaxDisconnectionTime" + + if ($regValue -ne 60000) { + return @{ + Message = "Registry value is '$regValue'. Expected: 60000" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.1" + Task = "Disable SSLv2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "Disable SSLv2 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "Disable SSLv2 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "Disable SSLv2 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "Disable SSLv3 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "Disable SSLv3 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.3" + Task = "Disable SSLv3 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.2.4" + Task = "Disable SSLv3 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.1" + Task = "Disable TLS1.0 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.2" + Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.3" + Task = "Disable TLS1.0 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.4" + Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4.1" + Task = "Disable TLS1.1 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4.2" + Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4.3" + Task = "Disable TLS1.1 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4.4" + Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Enable TLS1.2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Enable TLS1.2 Protocol (Server Default)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.1" + Task = "Disable NULL Cipher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.2" + Task = "Disable DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.1" + Task = "Disable RC4 Cipher Suite - 40/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.2" + Task = "Disable RC4 Cipher Suite - 56/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.3" + Task = "Disable RC4 Cipher Suite - 64/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.3.4" + Task = "Disable RC4 Cipher Suite - 128/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.4" + Task = "Disable AES 128/128 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.5" + Task = "Enable AES 256/256 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + + ''` + + 'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "2.6" + Task = "Disable Triple DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.1" + Task = "Disable SHA-1 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.2" + Task = "Disable MD5 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1" + Task = "Configure Cipher Suite Ordering" + Test = { + #check if correct type + $typeTable = @{ + "String" = "String Value" + "Byte" = "Byte Value" + "Int32" = "DWORD (32-bit) Value" + "Int64" = "QWORD (64-bit) Value" + "String[]" = "Multi-String Value" + } + #Default status + $status = "Error" + + #Output + $verbInsecure = "rules have" + $verbWeak = "rules have" + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + + $currentType = $typeTable[$res] + if ($res -ne [String]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue.Split(',') + $regValues = $regValues -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach ($element in $regValues) { + if ($listOfWeakCipherSuites.Contains($element)) { + $weakRulesFound += $element + } + if ($listOfInsecureCipherSuites.Contains($element)) { + $insecureRulesFound += $element + } + } + if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" } + if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" } + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach ($member in $weakRulesFound) { + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach ($member in $insecureRulesFound) { + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) { + $message = "" + if ($weakRulesFound.Count -eq 0) { $weakMessage = "" } + if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + } + catch { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + $currentType = $typeTable[$res] + if ($res -ne [String[]]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach ($element in $regValues) { + if ($listOfWeakCipherSuites.Contains($element)) { + $weakRulesFound += $element + } + if ($listOfInsecureCipherSuites.Contains($element)) { + $insecureRulesFound += $element + } + } + if ($insecureRulesFound.Count -eq 1) { $verbInsecure = "rule has" } + if ($weakRulesFound.Count -eq 1) { $verbWeak = "rule has" } + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach ($member in $weakRulesFound) { + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach ($member in $insecureRulesFound) { + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if ($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0) { + $message = "" + if ($weakRulesFound.Count -eq 0) { $weakMessage = "" } + if ($insecureRulesFound.Count -eq 0) { $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-1.0.0.ps1 b/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-1.0.0.ps1 new file mode 100644 index 0000000..8bc1161 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-1.0.0.ps1 @@ -0,0 +1,3832 @@ +$rcTrue = "True" +$rcCompliant = "Compliant" +$rcFalse = "False" +$rcNone = "None" +$rcNonCompliant = "Non-Compliant" +$rcNonCompliantManualReviewRequired = "Manual review required" +$rcCompliantIPv6isDisabled = "IPv6 is disabled" + +$retCompliant = @{ + Message = $rcCompliant + Status = $rcTrue +} +$retNonCompliant = @{ + Message = $rcNonCompliant + Status = $rcFalse +} +$retCompliantIPv6Disabled = @{ + Message = $rcCompliantIPv6isDisabled + Status = $rcTrue +} +$retNonCompliantManualReviewRequired = @{ + Message = $rcNonCompliantManualReviewRequired + Status = $rcNone +} + +$IPv6Status_script = grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable && echo "IPv6 is enabled" || echo "IPv6 is not enabled" +$IPv6Status = bash -c $IPv6Status_script +if ($IPv6Status -match "is enabled") { + $IPv6Status = "enabled" +} else { + $IPv6Status = "disabled" +} + +$parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "/Helpers/ShellScripts/RHEL9/" + + +### Chapter 1 - Initial Setup + + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure mounting of squashfs filesystems is disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_1111.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure mounting of udf filesystems is disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_1112.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.1" + Task = "Ensure /tmp is a separate partition" + Test = { + $result = findmnt --kernel /tmp | grep -E '\s/tmp\s' + if ($result -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.2" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep nodev + if ($result -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.3" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep noexec + if ($result -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.4" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep nosuid + if ($result -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.3.1" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt --kernel /var + if ($result -match "/var") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.3.2" + Task = "Ensure nodev option set on /var partition" + Test = { + $result = findmnt --kernel /var | grep nodev + if ($result -match "/var") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.3.3" + Task = "Ensure nosuid option set on /var partition" + Test = { + $result = findmnt --kernel /var | grep nosuid + if ($result -match "/var") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.4.1" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt --kernel /var/tmp + if ($result -match "/var/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.4.2" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp | grep noexec + if ($result -match "/var/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.4.3" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp | grep nosuid + if ($result -match "/var/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.4.4" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $result = findmnt --kernel /var/tmp | grep nodev + if ($result -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.5.1" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt --kernel /var/log + if ($result -match "/var/log") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.5.2" + Task = "Ensure nodev option set on /var/log" + Test = { + $result = findmnt --kernel /var/log | grep nodev + if ($result -match "/var/log") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.5.3" + Task = "Ensure noexec option set on /var/log" + Test = { + $result = findmnt --kernel /var/log | grep noexec + if ($result -match "/var/log") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.5.4" + Task = "Ensure nosuid option set on /var/log" + Test = { + $result = findmnt --kernel /var/log | grep nosuid + if ($result -match "/var/log") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.6.1" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit + if ($result -match "/var/log/audit") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.6.2" + Task = "Ensure noexec option set on /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit | grep noexec + if ($result -match "/var/log/audit") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.6.3" + Task = "Ensure nodev option set on /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit | grep nodev + if ($result -match "/var/log/audit") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.6.4" + Task = "Ensure nosuid option set on /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit | grep nosuid + if ($result -match "/var/log/audit") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.7.1" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt --kernel /home + if ($result -match "/home") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.7.2" + Task = "Ensure nodev option set on /home" + Test = { + $result = findmnt --kernel /home | grep nodev + if ($result -match "/home") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.7.3" + Task = "Ensure nosuid option set on /home" + Test = { + $result = findmnt --kernel /home | grep nosuid + if ($result -match "/home") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.8.1" + Task = "Ensure /dev/shm is a separate partition" + Test = { + $result = findmnt --kernel /dev/shm + if ($result -match "/dev/shm") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.8.2" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $result = mount | grep -E '\s/dev/shm\s' | grep nodev + if ($result -match "/dev/shm") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.8.3" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $result = findmnt --kernel /dev/shm | grep noexec + if ($result -match "/dev/shm") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.8.4" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $result = findmnt --kernel /dev/shm | grep nosuid + if ($result -match "/dev/shm") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.9" + Task = "Disable USB Storage" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_119.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.2.1" + Task = "Ensure GPG keys are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.2.2" + Task = "Ensure gpgcheck is globally activated" + Test = { + $result = grep ^gpgcheck /etc/dnf/dnf.conf + if ($result -match "gpgcheck=1") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.2.3" + Task = "Ensure package manager repositories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.2.4" + Task = "Ensure repo_gpgcheck is globally activated" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.3.1" + Task = "Ensure aide is installed" + Test = { + $result = rpm -q aide + if ($result -match "aide-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.3.2" + Task = "Ensure filesystem integrity is regularly checked" + Test = { + $result1 = systemctl is-enabled aidecheck.service + $result2 = systemctl is-enabled aidecheck.timer + $result3 = systemctl status aidecheck.service + if ($result1 -match "enabled" -and $result2 -match "enabled" -and $result3 -match "Active:") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.3.3" + Task = "Ensure filesystem integrity is regularly checked" + Test = { + $result = grep -Ps -- '(\/sbin\/(audit|au)\H*\b)' /etc/aide.conf.d/*.conf /etc/aide.conf + if ($result -match "/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $result -match "/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $result -match "/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $result -match "/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $result -match "/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512" -and + $result -match "/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure bootloader password is set" + Test = { + $result = awk -F. '/^\s*GRUB2_PASSWORD/ {print $1"."$2"."$3}' /boot/grub2/user.cfg + if ($result -match "GRUB2_PASSWORD=grub.pbkdf2.sha512") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure permissions on bootloader config are configured" + Test = { + $result1 = stat -Lc "%n %#a %u/%U %g/%G" /boot/grub2/grub.cfg | grep '/boot/grub2/grub.cfg\s*0700\s*0/root\s*0/root' + $result2 = stat -Lc "%n %#a %u/%U %g/%G" /boot/grub2/grubenv | grep '/boot/grub2/grubenv\s*0600\s*0/root\s*0/root' + $result3 = stat -Lc "%n %#a %u/%U %g/%G" /boot/grub2/user.cfg | grep '/boot/grub2/user.cfg\s*0600\s*0/root\s*0/root' + if ($result1 -ne $null -and $result2 -ne $null -and $result3 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure core dump storage is disabled" + Test = { + $result = grep -i '^\s*storage\s*=\s*none' /etc/systemd/coredump.conf + if ($result -match "Storage=none") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure core dump backtraces are disabled" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + grep -Pi '^\h*ProcessSizeMax\h*=\h*0\b' /etc/systemd/coredump.conf || echo -e "\n- Audit results:\n FAIL\n - \"ProcessSizeMax\" is: \"$(grep -i 'ProcessSizeMax' /etc/systemd/coredump.conf)\"" +} +'@ + $result = bash -c $script_string + if ($result -match "FAIL") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure address space layout randomization (ASLR) is enabled" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="kernel.randomize_va_space=2" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() + { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<< "$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<< "$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.1" + Task = "Ensure SELinux is installed" + Test = { + $result = rpm -q libselinux + if ($result -match "libselinux-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.2" + Task = "Ensure SELinux is not disabled in bootloader configuration" + Test = { + $result = grubby --info=ALL | grep -Po '(selinux|enforcing)=0\b' + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.3" + Task = "Ensure SELinux policy is configured" + Test = { + $result1 = grep -E '^\s*SELINUXTYPE=(targeted|mls)\b' /etc/selinux/config + $result2 = sestatus | grep Loaded + if (($result1 -match "targeted" -or $result1 -match "mls") -and ($result2 -match "targeted" -or $result2 -match "mls")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.4" + Task = "Ensure the SELinux mode is not disabled" + Test = { + $result1 = getenforce + $result2 = grep -Ei '^\s*SELINUX=(enforcing|permissive)' /etc/selinux/config + if (($result1 -match "Enforcing" -or $result1 -match "Permissive") -and ($result2 -match "SELINUX=enforcing" -or $result2 -match "SELINUX=permissive")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.5" + Task = "Ensure the SELinux mode is enforcing" + Test = { + $result1 = getenforce + $result2 = grep -i SELINUX=enforcing /etc/selinux/config + if ($result1 -match "Enforcing" -and $result2 -match "SELINUX=enforcing") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.6" + Task = "Ensure no uncofined services exist" + Test = { + $result = ps -eZ | grep unconfined_service_t + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.7" + Task = "Ensure SETroubleshoot is not installed" + Test = { + $result = rpm -q setroubleshoot + if ($result -match "is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1.8" + Task = "Ensure the MCS Translation Service (mcstrans) is not installed" + Test = { + $result = rpm -q mcstrans + if ($result -match "is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure the MCS Translation Service (mcstrans) is not installed" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure permissions on /etc/motd are configured" + Test = { + $result = stat -c "%a" /etc/motd + if ($result -eq 644) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure permissions on /etc/issue are configured" + Test = { + $result = stat -c "%a" /etc/issue + if ($result -eq 644) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.6" + Task = "Ensure permissions on /etc/issue.net are configured" + Test = { + $result = stat -c "%a" /etc/issue.net + if ($result -eq 644) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1" + Task = "Ensure GNOME Display Manager is removed" + Test = { + $result = rpm -q gdm + if ($result -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.2" + Task = "Ensure GDM login banner is configured" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_182.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.3" + Task = "Ensure GDM disable-user-list option is enabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_183.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.4" + Task = "Ensure GDM screen locks then the user is idle" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_184.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.5" + Task = "Ensure GDM screen locks cannot be overridden" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_185.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.6" + Task = "Ensure GDM automatic mounting of removable media is disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_186.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.7" + Task = "Ensure GDM disabling automatic mounting of removable media is not overridden" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_187.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.8" + Task = "Ensure GDM autorun-never is enabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_188.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.9" + Task = "Ensure GDM autorun-never is not overridden" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_189.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.10" + Task = "Ensure XDCMP is not enabled" + Test = { + $test = grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm/custom.conf + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.9" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.10" + Task = "Ensure system-wide crypto policy is not legacy" + Test = { + $test = grep -E -i '^\s*LEGACY\s*(\s+#.*)?$' /etc/crypto-policies/config + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +### Chapter 2 - Services + + +[AuditTest] @{ + Id = "2.1.1" + Task = "Ensure time synchronization is in use" + Test = { + $test = rpm -q chrony + if ($test -match "chrony-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.1.2" + Task = "Ensure chrony is configured" + Test = { + $test = grep -E "^(server|pool)" /etc/chrony.conf | grep OPTIONS\s*-u\s*chrony + if ($test -match "OPTIONS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure xorg-x11-server-common is not installed" + Test = { + $test = rpm -q xorg-x11-server-common + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure Avahi Server is not installed" + Test = { + $test = rpm -q avahi + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure CUPS is not installed" + Test = { + $test = rpm -q cups + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure DHCP Server is not installed" + Test = { + $test = rpm -q dhcp-server + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure DNS Server is not installed" + Test = { + $test = rpm -q bind + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure VSFTP Server is not installed" + Test = { + $test = rpm -q vsftpd + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.7" + Task = "Ensure VSFTP Server is not installed" + Test = { + $test = rpm -q vsftpd + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.8" + Task = "Ensure a web server is not installed" + Test = { + $test = rpm -q httpd nginx + if ($test -match "httpd is not installed" -and $test -match "nginx is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.9" + Task = "Ensure IMAP and POP3 server is not installed" + Test = { + $test = rpm -q dovecot cyrus-imapd + if ($test -match "dovecot is not installed" -and $test -match "cyrus-imapd is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.10" + Task = "Ensure Samba is not installed" + Test = { + $test = rpm -q samba + if ($test -match "samba is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.11" + Task = "Ensure HTTP Proxy Server is not installed" + Test = { + $test = rpm -q squid + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.12" + Task = "Ensure net-snmp is not installed" + Test = { + $test = rpm -q net-snmp + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.13" + Task = "Ensure telnet-server is not installed" + Test = { + $test = rpm -q telnet-server + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.14" + Task = "Ensure dnsmasq is not installed" + Test = { + $test = rpm -q dnsmasq + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.15" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $test = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|\[?::1\]?):25\s' + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.16" + Task = "Ensure nfs-utils is not installed or the nfs-server service is masked" + Test = { + rpm -q nfs-utils + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.17" + Task = "Ensure rpcbind is not installed or the rpcbind services are masked" + Test = { + $test1 = rpm -q rpcbind + $test21 = systemctl is-enabled rpcbind + $test22 = systemctl is-enabled rpcbind.socket + if ($test1 -match "not installed" -or ($test21 -match "masked" -and $test22 -match "masked")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.18" + Task = "Ensure rsync-daemon is not installed or the rsyncd service is masked" + Test = { + $test1 = rpm -q rsync-daemon + $test2 = systemctl is-enabled rsync-daemon + if ($test1 -match "not installed" -or $test2 -match "masked") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.1" + Task = "Ensure telnet client is not installed" + Test = { + $test = rpm -q telnet + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.2" + Task = "Ensure LDAP client is not installed" + Test = { + $test = rpm -q openldap-clients + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.3" + Task = "Ensure TFTP client is not installed" + Test = { + $test = rpm -q tftp + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.4" + Task = "Ensure FTP client is not installed" + Test = { + $test = rpm -q ftp + if ($test -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.4" + Task = "Ensure nonessential services listening on the system are removed or masked" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +### Chapter 3 - Network Configuration + + +[AuditTest] @{ + Id = "3.1.1" + Task = "Ensure IPv6 status is identified" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_312.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.1.3" + Task = "Ensure TIPC is disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_313.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure IP forwarding is disabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_321.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure packet redirect sending is disabled" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_322_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_322_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "PASS" -and $result2 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure packet redirect sending is disabled" + Test = { + $resultScript11 = $scriptPath + "CIS100_RHEL9_331_11.sh" + $result11 = bash $resultScript11 + $resultScript12 = $scriptPath + "CIS100_RHEL9_331_12.sh" + $result12 = bash $resultScript12 + $resultScript21 = $scriptPath + "CIS100_RHEL9_331_21.sh" + $result21 = bash $resultScript21 + $resultScript22 = $scriptPath + "CIS100_RHEL9_331_22.sh" + $result22 = bash $resultScript22 + if ($IPv6Status -eq "enabled") { + if ($result21 -match "PASS" -and $result22 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } else { + if ($result11 -match "PASS" -and $result12 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } + } +} + +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure ICMP redirects are not accepted" + Test = { + $resultScript11 = $scriptPath + "CIS100_RHEL9_332_11.sh" + $result11 = bash $resultScript11 + $resultScript12 = $scriptPath + "CIS100_RHEL9_332_12.sh" + $result12 = bash $resultScript12 + $resultScript21 = $scriptPath + "CIS100_RHEL9_332_21.sh" + $result21 = bash $resultScript21 + $resultScript22 = $scriptPath + "CIS100_RHEL9_332_22.sh" + $result22 = bash $resultScript22 + if ($IPv6Status -eq "enabled") { + if ($result21 -match "PASS" -and $result22 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } else { + if ($result11 -match "PASS" -and $result12 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } + } +} + +# 3.3.3 ist identisch mit 3.3.2 ... warum auch immer - wird hier weg gelassen + +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure suspicious packets are logged" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_334_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_334_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "PASS" -and $result2 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure broadcast ICMP requests are ignored" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_335.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure bogus ICMP responses are ignored" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_336.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure Reverse Path Filtering is enabled" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_337_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_337_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "PASS" -and $result2 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure TCP SYN Cookies is enabled" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_338.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure IPv6 router advertisements are not accepted" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_339_1.sh" + $resultScript1 = $scriptPath + "CIS100_RHEL9_339_2.sh" + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } else { + $script1 = bash $resultScript1 + $script2 = bash $resultScript2 + if ($script1 -match "PASS" -and $script2 -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } + } +} + +[AuditTest] @{ + Id = "3.4.1.1" + Task = "Ensure nftables is installed" + Test = { + $result = rpm -q nftables + if ($result -match "nftables-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.1.2" + Task = "Ensure a single firewall configuration utility is in use" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_3412.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.2.1" + Task = "Ensure firewalld default zone is set" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_3421.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.2.2" + Task = "Ensure at least one nftables table exists" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.4.2.3" + Task = "Ensure nftables base chains exist" + Test = { + try{ + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} + +[AuditTest] @{ + Id = "3.4.2.4" + Task = "Ensure host based firewall loopback traffic is configured" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + l_output="" l_output2="" + if nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then + l_output="$l_output\n - Network traffic to the loopback address is correctly set to accept" + else + l_output2="$l_output2\n - Network traffic to the loopback address is not set to accept" + fi + l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')" + if grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" || grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then + l_output="$l_output\n - IPv4 network traffic from loopback address correctly set to drop" + else + l_output2="$l_output2\n - IPv4 network traffic from loopback address not set to drop" + fi + if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then + l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')" + if grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" || grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then + l_output="$l_output\n - IPv6 network traffic from loopback address correctly set to drop" + else + l_output2="$l_output2\n - IPv6 network traffic from loopback address not set to drop" + fi + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output" + else + echo -e "\n- Audit Result:\n FAIL\n$l_output2\n\n - Correctly set:\n$l_output" + fi +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.2.5" + Task = "Ensure firewalld drops unnecessary services and ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.4.2.6" + Task = "Ensure nftables established connections are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.4.2.7" + Task = "Ensure nftables default deny firewall policy" + Test = { + $result1 = systemctl --quiet is-enabled nftables.service && nft list ruleset | grep 'hook input' | grep -v 'policy drop' + $result2 = systemctl --quiet is-enabled nftables.service && nft list ruleset | grep 'hook forward' | grep -v 'policy drop' + if ($result1 -eq $null -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +### Chapter 4 - Logging and Auditing + + +[AuditTest] @{ + Id = "4.1.1.1" + Task = "Ensure auditd is installed" + Test = { + $result1 = rpm -q audit + if ($result1 -match "audit-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.1.2" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $result1 = grubby --info=ALL | grep -Po '\baudit=1\b' + if ($result1 -match "audit=1") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.1.3" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $result1 = grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b" + if ($result1 -match "audit_backlog_limit=") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.1.4" + Task = "Ensure auditd service is enabled" + Test = { + $result1 = systemctl is-enabled auditd + if ($result1 -match "enabled") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.1.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $result1 = grep max_log_file_action /etc/audit/auditd.conf | grep max_log_file_action + if ($result1 -match "max_log_file_action = keep_logs") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $result1 = grep space_left_action /etc/audit/auditd.conf + $result2 = grep action_mail_acct /etc/audit/auditd.conf + $result3 = grep -E 'admin_space_left_action\s*=\s*(halt|single)' /etc/audit/auditd.conf + if ($result1 -match "space_left_action = email" -and $result2 -match "action_mail_acct = root" -and ($result3 -match "admin_space_left_action = halt" -or $result3 -match "admin_space_left_action = single")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.1" + Task = "Ensure changes to system administration scope (sudoers) is collected" + Test = { + $result1 = awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + $result2 = auditctl -l | awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + if ($result1 -match "-w /etc/sudoers -p wa -k scope" -and $result1 -match "-w /etc/sudoers.d -p wa -k scope" -and $result2 -match "-w /etc/sudoers -p wa -k scope" -and $result2 -match "-w /etc/sudoers.d -p wa -k scope") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.2" + Task = "Ensure actions as another user are always logged" + Test = { + $result1 = awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + $result2 = auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + if ($result1 -match "-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation" -and $result1 -match "-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation" -and $result2 -match "-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation" -and $result2 -match "-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.3" + Task = "Ensure events that modify the sudo log file are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_4133_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_4133_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-w /var/log/sudo.log -p wa -k sudo_log_file" -and $result2 -match "-w /var/log/sudo.log -p wa -k sudo_log_file") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.4" + Task = "Ensure events that modify date and time information are collected" + Test = { + $script_string1 = @' + #!/usr/bin/env bash + { + awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&/ -S/ &&(/adjtimex/ ||/settimeofday/ ||/clock_settime/ ) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + awk '/^ *-w/ &&/\/etc\/localtime/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + } +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&/ -S/ &&(/adjtimex/ ||/settimeofday/ ||/clock_settime/ ) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + auditctl -l | awk '/^ *-w/ &&/\/etc\/localtime/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change" -and $result1 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change" -and $result1 -match "-w /etc/localtime -p wa -k time-change" -and + $result2 -match "-w /var/log/sudo.log -p wa -k sudo_log_file" -and $result2 -match "-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -F key=time-change" -and $result2 -match "-w /etc/localtime -p wa -k time-change") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $script_string1 = @' + #!/usr/bin/env bash + { + awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + awk '/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/sysconfig\/network/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + } +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + auditctl -l | awk '/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/sysconfig\/network/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale" -and $result1 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale" -and $result1 -match "-w /etc/issue -p wa -k system-locale" -and $result1 -match "-w /etc/issue.net -p wa -k system-locale" -and $result1 -match "-w /etc/hosts -p wa -k system-locale" -and $result1 -match "-w /etc/sysconfig/network -p wa -k system-locale" -and $result1 -match "-w /etc/sysconfig/network-scripts/ -p wa -k system-locale" -and + $result2 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale" -and $result2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale" -and $result2 -match "-w /etc/issue -p wa -k system-locale" -and $result2 -match "-w /etc/issue.net -p wa -k system-locale" -and $result2 -match "-w /etc/hosts -p wa -k system-locale" -and $result2 -match "-w /etc/sysconfig/network -p wa -k system-locale" -and $result2 -match "-w /etc/sysconfig/network-scripts -p wa -k system-locale") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.6" + Task = "Ensure use of privileged commands are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_4136_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_4136_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "Warning" -or $result2 -match "Warning") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.7" + Task = "Ensure unsuccessful file access attempts are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_4137_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_4137_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" -and $result1 -match "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" -and $result1 -match "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access" -and $result1 -match "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access" -and + $result2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" -and $result2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" -and $result2 -match "-a always,exit -F arch=b32 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" -and $result2 -match "-a always,exit -F arch=b32 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.8" + Task = "Ensure events that modify user/group information are collected" + Test = { + $script_string1 = @' +#!/usr/bin/env bash +{ + awk '/^ *-w/ &&(/\/etc\/group/ ||/\/etc\/passwd/ ||/\/etc\/gshadow/ ||/\/etc\/shadow/ ||/\/etc\/security\/opasswd/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ &&(/\/etc\/group/ ||/\/etc\/passwd/ ||/\/etc\/gshadow/ ||/\/etc\/shadow/ ||/\/etc\/security\/opasswd/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-w /etc/group -p wa -k identity" -and $result1 -match "-w /etc/passwd -p wa -k identity" -and $result1 -match "-w /etc/gshadow -p wa -k identity" -and $result1 -match "-w /etc/shadow -p wa -k identity" -and $result1 -match "-w /etc/security/opasswd -p wa -k identity" -and + $result2 -match "-w /etc/group -p wa -k identity" -and $result2 -match "-w /etc/passwd -p wa -k identity" -and $result2 -match "-w /etc/gshadow -p wa -k identity" -and $result2 -match "-w /etc/shadow -p wa -k identity" -and $restul2 -match "-w /etc/security/opasswd -p wa -k identity") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_4139_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_4139_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" -and $result1 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" -and $result1 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" -and + $result1 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" -and $result1 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" -and $result1 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" -and + $result2 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and $result2 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and $result2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $result2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and $result2 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and $result2 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.10" + Task = "Ensure successful file system mounts are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41310_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_41310_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts" -and $result1 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts" -and + $result2 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" -and $result2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.11" + Task = "Ensure session initiation information is collected" + Test = { + $script_string1 = @' +#!/usr/bin/env bash +{ + awk '/^ *-w/ &&(/\/var\/run\/utmp/ ||/\/var\/log\/wtmp/ ||/\/var\/log\/btmp/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ &&(/\/var\/run\/utmp/ ||/\/var\/log\/wtmp/ ||/\/var\/log\/btmp/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-w /var/run/utmp -p wa -k session" -and $result1 -match "-w /var/log/wtmp -p wa -k session" -and $result1 -match "-w /var/log/btmp -p wa -k session" -and + $result2 -match "-w /var/run/utmp -p wa -k session" -and $result2 -match "-w /var/log/wtmp -p wa -k session" -and $result2 -match "-w /var/log/btmp -p wa -k session") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "4.1.3.12" + Task = "Ensure login and logout events are collected" + Test = { + $script_string1 = @' +#!/usr/bin/env bash +{ + awk '/^ *-w/ \ + &&(/\/var\/log\/lastlog/ \ + ||/\/var\/run\/faillock/) \ + &&/ +-p *wa/ \ + &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ \ + &&(/\/var\/log\/lastlog/ \ + ||/\/var\/run\/faillock/) \ + &&/ +-p *wa/ \ + &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-w /var/log/lastlog -p wa -k logins" -and $result1 -match "-w /var/run/faillock -p wa -k logins" -and + $result2 -match "-w /var/log/lastlog -p wa -k logins" -and $result2 -match "-w /var/run/faillock -p wa -k logins") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.13" + Task = "Ensure file deletion events by users are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41313_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_41313_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete" -and $result1 -match "-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete" -and + $result2 -match "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" -and $result2 -match "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.14" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41314_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_41314_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-w /etc/selinux -p wa -k MAC-policy" -and $result1 -match "-w /usr/share/selinux -p wa -k MAC-policy" -and + $result2 -match "-w /etc/selinux -p wa -k MAC-policy" -and $result2 -match "-w /usr/share/selinux -p wa -k MAC-policy") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.15" + Task = "Ensure successful and unsuccessful attempts to use the chcon command are recorded" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41315_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_41315_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" -and + $result2 -match "-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.16" + Task = "Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41316_1.sh" + $resultScript2 = $scriptPath + "CIS100_RHEL9_41316_2.sh" + $result1 = bash $resultScript1 + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" -and + $result2 -match "-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.17" + Task = "Ensure successful and unsuccessful attempts to use the chacl command are recorded" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41317_1.sh" + $resultScript2 = $scriptPath + "CIS100_RHEL9_41317_2.sh" + $result1 = bash $resultScript1 + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng" -and + $result2 -match "-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=perm_chng") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.18" + Task = "Ensure successful and unsuccessful attempts to use the usermod command are recorded" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41318_1.sh" + $resultScript2 = $scriptPath + "CIS100_RHEL9_41318_2.sh" + $result1 = bash $resultScript1 + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod" -and + $result2 -match "-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -F key=usermod") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.19" + Task = "Ensure kernel module loading unloading and modification is collected" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_41319_1.sh" + $resultScript2 = $scriptPath + "CIS100_RHEL9_41319_2.sh" + $result1 = bash $resultScript1 + $result2 = bash $resultScript2 + if ($result1 -match "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules" -and $result1 -match "-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules" -and + $result2 -match "-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=-1 -F key=kernel_modules" -and $result2 -match "-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=kernel_modules" -and $result3 -match "OK") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.20" + Task = "Ensure the audit configuration is immutable" + Test = { + $result1 = grep -Ph -- '^\h*-e\h+2\b' /etc/audit/rules.d/*.rules | tail -1 + if ($result1 -match "-e 2") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.3.21" + Task = "Ensure the running and on disk configuration is the same" + Test = { + $result1 = augenrules --check + if ($result1 -match "/usr/sbin/augenrules: No change") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.1" + Task = "Ensure audit log files are mode 0640 or less permissive" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_4141.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.2" + Task = "Ensure only authorized users own audit log files" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_3412.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.3" + Task = "Ensure only authorized groups are assigned ownership of audit log files" + Test = { + $script_string1 = @' +#!/usr/bin/env bash +{ + stat -c "%n %G" "$(dirname $(awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf | xargs))"/* | grep -Pv '^\h*\H+\h+(adm|root)\b' +} +'@ + $result1 = bash -c $script_string1 + $result2 = grep -Piw -- '^\h*log_group\h*=\h*(adm|root)\b' /etc/audit/auditd.conf + if (($result1 -match "log_group = adm" -or $result1 -match "log_group = root") -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.4" + Task = "Ensure the audit log directory is 0750 or more restrictive" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_4144.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.5" + Task = "Ensure audit configuration files are 640 or more restrictive" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_4145.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.6" + Task = "Ensure audit configuration files are owned by root" + Test = { + $result1_string = @' +#!/usr/bin/env bash +{ + find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root +} +'@ + $result1 = bash -c $result1_string + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.7" + Task = "Ensure audit configuration files belong to group root" + Test = { + $result1_string = @' +#!/usr/bin/env bash +{ + find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root +} +'@ + $result1 = bash -c $result1_string + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.8" + Task = "Ensure audit tools are 755 or more restrictive" + Test = { + $result1 = stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h*$' + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.9" + Task = "Ensure audit tools are owned by root" + Test = { + $result1 = stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+root\h*$' + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4.10" + Task = "Ensure audit tools belong to group root" + Test = { + $result1 = stat -c "%n %a %U %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- '^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h+root\h+root\h*$' + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.1" + Task = "Ensure rsyslog is installed" + Test = { + $result1 = rpm -q rsyslog + if ($result1 -match "rsyslog-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.2" + Task = "Ensure rsyslog service is enabled" + Test = { + $result1 = systemctl is-enabled rsyslog + if ($result1 -match "enabled") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.3" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $result1 = grep ^\s*ForwardToSyslog /etc/systemd/journald.conf + if ($result1 -match "ForwardToSyslog=yes") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.4" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $result1 = grep -Ps '^\h*\$FileCreateMode\h+0[0,2,4,6][0,2,4]0\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if ($result1 -match "FileCreateMode 0640") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.5" + Task = "Ensure logging is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.1.6" + Task = "Ensure rsyslog is configured to send logs to a remote log host" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.1.7" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $result1 = grep -Ps -- '^\h*module\(load="imtcp"\)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + $result2 = grep -Ps -- '^\h*input\(type="imtcp" port="514"\)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if ($result1 -eq $null -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.1.1" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $result1 = rpm -q systemd-journal-remote + if ($result1 -eq "systemd-journal-remote-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.1.2" + Task = "Ensure systemd-journal-remote is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.2.1.3" + Task = "Ensure systemd-journal-remote is enabled" + Test = { + $result1 = systemctl is-enabled systemd-journal-upload.service + if ($result1 -match "enabled") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.1.4" + Task = "Ensure journald is not configured to receive logs from a remote client" + Test = { + $result1 = systemctl is-enabled systemd-journal-remote.socket + if ($result1 -match "masked") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.2" + Task = "Ensure journald service is enabled" + Test = { + $result1 = systemctl is-enabled systemd-journald.service + if ($result1 -match "static") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.3" + Task = "Ensure journald is configured to compress large log files" + Test = { + $result1 = grep ^\s*Compress /etc/systemd/journald.conf + if ($result1 -match "Compress=yes") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.4" + Task = "Ensure journald is configured to write logfiles to persistent disk" + Test = { + $result1 = grep ^\s*Storage /etc/systemd/journald.conf + if ($result1 -match "Storage=persistent") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.5" + Task = "Ensure journald is not configured to send logs to rsyslog" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.2.6" + Task = "Ensure journald log rotation is configured per site policy" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.2.7" + Task = "Ensure journald default file permissions configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure all logfiles have appropriate permissions and ownership" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + echo -e "\n- Start check - logfiles have appropriate permissions and ownership" + output="" + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + find /var/log -type f | (while read -r fname; do + bname="$(basename "$fname")" + fugname="$(stat -Lc "%U %G" "$fname")" + funame="$(awk '{print $1}' <<< "$fugname")" + fugroup="$(awk '{print $2}' <<< "$fugname")" + fuid="$(stat -Lc "%u" "$fname")" + fmode="$(stat -Lc "%a" "$fname")" + case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | wtmp-* | btmp | btmp.* | btmp-*) + if ! grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if ! grep -Pq -- '^\h*root\h+(utmp|root)\h*$' <<< "$fugname"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + ;; + secure | auth.log | syslog | messages) + if ! grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if ! grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$' <<< "$fugname"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + ;; + SSSD | sssd) + if ! grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if ! grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$' <<< "$fugname"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + ;; + gdm | gdm3) + if ! grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if ! grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$' <<< "$fugname"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + ;; + *.journal | *.journal~) + if ! grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if ! grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$' <<< "$fugname"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + ;; + *) if ! grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$' <<< "$fmode"; then + output="$output\n- File: \"$fname\" mode: \"$fmode\"\n" + fi + if [ "$fuid" -ge "$UID_MIN" ] || ! grep -Pq -- '(adm|root|'"$(id -gn "$funame")"')' <<< "$fugroup"; then + if [ -n "$(awk -v grp="$fugroup" -F: '$1==grp {print $4}' /etc/group)" ] || ! grep -Pq '(syslog|root)' <<< "$funame"; then + output="$output\n- File: \"$fname\" ownership: \"$fugname\"\n" + fi + fi + ;; + esac + done # If all files passed, then we pass + if [ -z "$output" ]; then + echo -e "\n- Audit Results:\n PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n" + else # print the reason why we are failing + echo -e "\n- Audit Results:\n FAIL\n$output" + fi + echo -e "- End check - logfiles have appropriate permissions and ownership\n" + ) +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.3" + Task = "Ensure logrotate is configured" + Test = { + return $retNonCompliantManualReviewRequired + + } +} + + +### Chapter 5 - Access, Authentication and Authorization + + +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled" + Test = { + $result1 = systemctl is-enabled crond + if ($result1 -match "enabled") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $result1 = stat -c "%a" /etc/crontab + if ($result1 -eq 600 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.hourly + if ($result1 -eq 700 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.daily + if ($result1 -eq 700 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.weekly + if ($result1 -eq 700 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.monthly + if ($result1 -eq 700 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.d + if ($result1 -eq 700 ) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure cron is restricted to authorized users" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + if rpm -q cronie >/dev/null; then + [ -e /etc/cron.deny ] && echo "Fail: cron.deny exists" + if [ ! -e /etc/cron.allow ]; then + echo "Fail: cron.allow doesn't exist" + else + ! stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" && echo "Fail: cron.allow mode too permissive" + ! stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$" && echo "Fail: cron.allow owner and/or group not root" + fi + if [ ! -e /etc/cron.deny ] && [ -e /etc/cron.allow ] && stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" \ && stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$"; then + echo "Pass" + fi + else + echo "PASS: cron is not installed on the system" + fi +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure at is restricted to authorized users" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + if rpm -q at >/dev/null; then + [ -e /etc/at.deny ] && echo "Fail: at.deny exists" + if [ ! -e /etc/at.allow ]; then + echo "Fail: at.allow doesn't exist" + else + ! stat -Lc "%a" /etc/at.allow | grep -Eq "[0,2,4,6]00" && echo "Fail: at.allow mode too permissive" + ! stat -Lc "%u:%g" /etc/at.allow | grep -Eq "^0:0$" && echo "Fail: at.allow owner and/or group not root" + fi + if [ ! -e /etc/at.deny ] && [ -e /etc/at.allow ] && stat -Lc "%a" /etc/at.allow | grep -Eq "[0,2,4,6]00" && stat -Lc "%u:%g" /etc/at.allow | grep -Eq "^0:0$"; then + echo "PASS" + fi + else + echo "PASS: at is not installed on the system" + fi +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure permissions on /etc/ssh/sshd_config are configured" + Test = { + $result1 = stat -Lc "%n %a %u/%U %g/%G" /etc/ssh/sshd_config + if ($result1 -match "/etc/ssh/sshd_config 600 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure permissions on SSH private host key files are configured" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_522.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_523.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure SSH access is limited" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' + $test2 = grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config + if ($test1 -match "allowusers " -or $test1 -match "allowgroups " -or $test1 -match "denyusers " -or $test1 -match "denygroups " -or + $test2 -match "allowusers " -or $test2 -match "allowgroups " -or $test2 -match "denyusers " -or $test2 -match "denygroups ") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure SSH LogLevel is appropriate" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' + $test2 = grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config + if (($test1 -match "allowusers " -or $test1 -match "allowgroups " -or $test1 -match "denyusers " -or $test1 -match "denygroups ") -and + ($test2 -match "allowusers " -or $test2 -match "allowgroups " -or $test2 -match "denyusers " -or $test2 -match "denygroups ")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure SSH PAM is enabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i usepam + $test2 = grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config + if ($test1 -match "usepam yes" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure SSH root login is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin + $test2 = grep -Ei '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permitrootlogin no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.8" + Task = "Ensure SSH HostbasedAuthentication is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep hostbasedauthentication + $test2 = grep -Ei '^\s*HostbasedAuthentication\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permitrootlogin no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.9" + Task = "Ensure SSH PermitEmptyPasswords is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords + $test2 = grep -Ei '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permitemptypasswords no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.10" + Task = "Ensure SSH PermitUserEnvironment is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment + $test2 = grep -Ei '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permituserenvironment no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.11" + Task = "Ensure SSH IgnoreRhosts is enabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts + $test2 = grep -Ei '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config + if ($test1 -match "ignorerhosts yes" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.12" + Task = "Ensure SSH X11 forwarding is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding + $test2 = grep -Ei '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config + if ($test1 -match "x11forwarding no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.13" + Task = "Ensure SSH AllowTcpForwarding is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i allowtcpforwarding + $test2 = grep -Ei '^\s*AllowTcpForwarding\s+yes' /etc/ssh/sshd_config + if ($test1 -match "allowtcpforwarding no" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.14" + Task = "Ensure system-wide crypto policy is not over-ridden" + Test = { + $test = grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.15" + Task = "Ensure SSH warning banner is configured" + Test = { + $test = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep banner + if ($test -match "banner /etc/issue.net") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.16" + Task = "Ensure SSH MaxAuthTries is set to 4 or less" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep maxauthtries + $test2 = grep -Ei '^\s*maxauthtries\s+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config + if ($test1 -match "maxauthtries 4" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.17" + Task = "Ensure SSH MaxStartups is configured" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups + $test2 = grep -Ei '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config + if ($test1 -match "maxstartups 10:30:60" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.18" + Task = "Ensure SSH MaxSessions is set to 10 or less" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxsessions + $test2 = grep -Ei '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config + if ($test1 -match "maxsessions 10" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.19" + Task = "Ensure SSH LoginGraceTime is set to one minute or less" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime + $test2 = grep -Ei '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config + if ($test1 -match "logingracetime 60" -and $test2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.20" + Task = "Ensure SSH Idle Timeout Interval is configured" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval | cut -d ' ' -f 2 + $test2 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax | cut -d ' ' -f 2 + if ($test1 -gt 0 -and $test2 -gt 0) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.1" + Task = "Ensure SUDO is installed" + Test = { + $test = dnf list sudo | grep sudo.x86_64 + if ($test -match "sudo") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.2" + Task = "Ensure sudo commands use pty" + Test = { + $test = grep -rPi '^\h*Defaults\h+([^#\n\r]+,)?use_pty(,\h*\h+\h*)*\h*(#.*)?$' /etc/sudoers* + if ($test -match "/etc/sudoers:Defaults use_pty") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.3" + Task = "Ensure sudo log file exists" + Test = { + $test = grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/* + if ($test -match "/etc/sudoers:Defaults use_pty") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.4" + Task = "Ensure users must provide password for escalation" + Test = { + $test = grep -r "^[^#].*NOPASSWD" /etc/sudoers* + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.5" + Task = "Ensure re-authentication for privilege escalation is not disabled globally" + Test = { + $test = grep -r "^[^#].*\!authenticate" /etc/sudoers* + if ($test -match "!authenticate") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.6" + Task = "Ensure sudo authentication timeout is configured correctly" + Test = { + $test = grep -roP "timestamp_timeout=\K[0-9]*" /etc/sudoers* | cut -d ' ' -f 2 + if ($test -le 15) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.7" + Task = "Ensure access to the su command is restricted" + Test = { + $test1 = grep -Pi '^\h*auth\h+(?:required|requisite)\h+pam_wheel\.so\h+(?:[^#\n\r]+\h+)?((?!\2)(use_uid\b|group=\H+\b))\h+(?:[^#\n\r]+\h+)?((?!\1)(use_uid\b|group=\H+\b))(\h+.*)?$' /etc/pam.d/su + if ($test1 -match "auth required pam_wheel.so use_uid group=") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1" + Task = "Ensure custom authselect profile is used" + Test = { + $test1 = authselect list | grep '^-\s*custom' + if ($test1 -eq $null) { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +# 5.4.2 ist leider schlecht beschrieben, die Pruefung ist mit ihren Parametern bestenfalls mangelhaft +[AuditTest] @{ + Id = "5.4.2" + Task = "Ensure authselect includes with-faillock" + Test = { + $test1 = grep pam_faillock.so /etc/pam.d/password-auth /etc/pam.d/system-auth + if ($test1 -match "/etc/authselect/password-auth:auth") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.5.1" + Task = "Ensure password creation requirements are configured" + Test = { + $test1 = grep ^minlen /etc/security/pwquality.conf | cut -d '=' -f 2 + if ($test1 -ge 14) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.5.2" + Task = "Ensure lockout for failed password attempts is configured" + Test = { + $test1 = grep -E '^\s*deny\s*=\s*[1-5]\b' /etc/security/faillock.conf | cut -d '=' -f 2 + $test2 = grep -E '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b' /etc/security/faillock.conf | cut -d '=' -f 2 + if ($test1 -le 5 -and ($test2 -eq 0 -or $test2 -ge 900)) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.5.3" + Task = "Ensure password reuse is limited" + Test = { + $test1 = grep -P '^\h*password\h+(requisite|sufficient)\h+(pam_pwhistory\.so|pam_unix\.so)\h+([^#\n\r]+\h+)?remember=([5-9]|[1-9][0-9]+)\h*(\h+.*)?$' /etc/pam.d/system-auth + if ($test1 -match "remember=5") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.5.4" + Task = "Ensure password hashing algorithm is SHA-512 or yescrypt" + Test = { + $test1 = grep -Ei '^\s*crypt_style\s*=\s*(sha512|yescrypt)\b' /etc/libuser.conf + $test2 = grep -Ei '^\s*ENCRYPT_METHOD\s+(SHA512|yescrypt)\b' /etc/login.defs + if (($test2 -match "ENCRYPT_METHOD SHA512" -or $test2 -match "ENCRYPT_METHOD YESCRYPT") -and ($test1 -match "crypt_style = sha512" -or $test1 -match "crypt_style = yescrypt")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.1.1" + Task = "Ensure password expiration is 365 days or less" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_5611_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_5611_2.sh" + $result2 = bash $resultScript2 + if ($result1 -le 365 -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.1.2" + Task = "Ensure minimum days between password changes is configured" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_5612_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_5612_2.sh" + $result2 = bash $resultScript2 + if ($result1 -ge 1 -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.1.3" + Task = "Ensure password expiration warning days is 7 or more" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_5613_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_5613_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "PASS_WARN_AGE\s*7" -and !($result2 -match "FAIL")) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.1.4" + Task = "Ensure inactive password lock is 30 days or less" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_5614_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_5614_2.sh" + $result2 = bash $resultScript2 + if ($result1 -ge 2 -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.1.5" + Task = "Ensure all users last password change date is in the past" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_5615.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.2" + Task = "Ensure system accounts are secured" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_562_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_562_2.sh" + $result2 = bash $resultScript2 + if ($result1 -eq $null -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.3" + Task = "Ensure default user shell timeout is 900 seconds or less" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + output1="" output2="" + [ -f /etc/bashrc ] && BRC="/etc/bashrc" + for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do + grep -Pq '^\s*([^#]+\s+)?TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?readonly\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?export\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && output1="$f" + done + grep -Pq '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b' /etc/profile /etc/profile.d/*.sh "$BRC" && output2=$(grep -Ps '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b' /etc/profile /etc/profile.d/*.sh $BRC) + if [ -n "$output1" ] && [ -z "$output2" ]; then + echo -e "\nPASSED\n\nTMOUT is configured in: \"$output1\"\n" + else + [ -z "$output1" ] && echo -e "\nFAILED\n\nTMOUT is not configured\n" [ -n "$output2" ] && echo -e "\nFAILED\n\nTMOUT is incorrectly configured in: \"$output2\"\n" + fi +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.4" + Task = "Ensure default group for the root account is GID 0" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if ($test1 -eq 0) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.5" + Task = "Ensure default user shell timeout is 900 seconds or less" + Test = { + $resultScript1 = $scriptPath + "CIS100_RHEL9_565_1.sh" + $result1 = bash $resultScript1 + $resultScript2 = $scriptPath + "CIS100_RHEL9_565_2.sh" + $result2 = bash $resultScript2 + if ($result1 -match "umask is set" -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.6.6" + Task = "Ensure root password is set" + Test = { + $test1 = passwd -S root + if ($test1 -match "Password set") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +### Chapter 6 - System Maintenance + + +[AuditTest] @{ + Id = "6.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/group + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.4" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/group- + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.5" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/shadow + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/shadow- + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.8" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow- + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.9" + Task = "Ensure no world writable files exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + if ($test1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.10" + Task = "Ensure no unowned files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nouser + if ($test1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.11" + Task = "Ensure no ungrouped files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup + if ($test1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.12" + Task = "Ensure sticky bit is set on all world-writable directories" + Test = { + $test_string = "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null" + $test = bash -c $test_string + if ($test -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.13" + Task = "Audit SUID executables" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.1.14" + Task = "Audit SGID executables" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.1.15" + Task = "Audit system file permissions" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_621.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_622.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.4" + Task = "Ensure no duplicate UIDs exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.5" + Task = "Ensure no duplicate GIDs exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f3 /etc/group | sort | uniq -d | while read x ; do + echo "Duplicate GID ($x) in /etc/group" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.6" + Task = "Ensure no duplicate user names exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do + echo "Duplicate login name $x in /etc/passwd" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.7" + Task = "Ensure no duplicate group names exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do + echo "Duplicate group name $x in /etc/group" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.8" + Task = "Ensure root PATH Integrity" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_628.sh" + $result = bash $resultScript + if ($result -match "is not a directory") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.9" + Task = "Ensure root is the only UID 0 account" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_629.sh" + $result = bash $resultScript + if ($result -eq "root") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.10" + Task = "Ensure local interactive user home directories exist" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6210.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.11" + Task = "Ensure local interactive users own their home directories" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6210.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.12" + Task = "Ensure local interactive user home directories are mode 750 or more restrictive" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6212.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.13" + Task = "Ensure no local interactive user has .netrc files" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6213.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.14" + Task = "Ensure no local interactive user has .forward files" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6214.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.15" + Task = "Ensure no local interactive user has .rhosts files" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6215.sh" + $result = bash $resultScript + if ($result -match "FAILED") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.16" + Task = "Ensure local interactive user dot files are not group or world writable" + Test = { + $resultScript = $scriptPath + "CIS100_RHEL9_6216.sh" + $result = bash $resultScript + if ($result -match "Failed") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} diff --git a/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-2.0.0.ps1 b/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-2.0.0.ps1 new file mode 100644 index 0000000..5718492 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Red Hat Enterprise Linux 9-CIS-2.0.0.ps1 @@ -0,0 +1,4148 @@ +$rcTrue = "True" +$rcCompliant = "Compliant" +$rcFalse = "False" +$rcNone = "None" +$rcNonCompliant = "Non-Compliant" +$rcNonCompliantManualReviewRequired = "Manual review required" +$rcCompliantIPv6isDisabled = "IPv6 is disabled" + +$retCompliant = @{ + Message = $rcCompliant + Status = $rcTrue +} +$retNonCompliant = @{ + Message = $rcNonCompliant + Status = $rcFalse +} +$retCompliantIPv6Disabled = @{ + Message = $rcCompliantIPv6isDisabled + Status = $rcTrue +} +$retNonCompliantManualReviewRequired = @{ + Message = $rcNonCompliantManualReviewRequired + Status = $rcNone +} + +$IPv6Status_script = grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable && echo "IPv6 is enabled" || echo "IPv6 is not enabled" +$IPv6Status = bash -c $IPv6Status_script +if ($IPv6Status -match "is enabled") { + $IPv6Status = "enabled" +} +else { + $IPv6Status = "disabled" +} + +$parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "/Helpers/ShellScripts/RHEL9_CIS2.0.0/" +$commonPath = $parentPath + "/Helpers/ShellScripts/common/" + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure cramfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure freevxfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure hfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.4" + Task = "Ensure hfsplus kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.5" + Task = "Ensure jffs2 kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.6" + Task = "Ensure squashfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.7" + Task = "Ensure udf kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.8" + Task = "Ensure usb-storage kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +# MISSING RULE: 1.1.1.9 - Ensure unused filesystems kernel modules are not available +[AuditTest] @{ + Id = "1.1.2.1.1" + Task = "Ensure /tmp is a separate partition" + Test = { + $result = findmnt --kernel /tmp | grep -E '\s/tmp\s' + if ($result -match "/tmp") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.1.2" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.3" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.4" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep noexec + if ($result -match "/tmp") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.2.1" + Task = "Ensure /dev/shm is a separate partition" + Test = { + $result = findmnt --kernel /dev/shm + if ($result -match "/dev/shm") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.2.2" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.3" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.4" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.1" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt --kernel /home + if ($result -match "/home") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.3.2" + Task = "Ensure nodev option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.3" + Task = "Ensure nosuid option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.1" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt --kernel /var + if ($result -match "/var") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + + +[AuditTest] @{ + Id = "1.1.2.4.2" + Task = "Ensure nodev option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.3" + Task = "Ensure nosuid option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.1" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt --kernel /var/tmp + if ($result -match "/var/tmp") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.5.2" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.3" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.4" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.1" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt --kernel /var/log + if ($result -match "/var/log") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.6.2" + Task = "Ensure nodev option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.3" + Task = "Ensure nosuid option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.4" + Task = "Ensure noexec option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.1" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit + if ($result -match "/var/log/audit") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.1.2.7.2" + Task = "Ensure nodev option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.3" + Task = "Ensure nosuid option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.4" + Task = "Ensure noexec option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.2.1.1" + Task = "Ensure GPG keys are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "1.2.1.2" + Task = "Ensure gpgcheck is globally activated" + Test = { + $script = $scriptPath + "1.2.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.2.1.3" + Task = "Ensure repo_gpgcheck is globally activated" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "1.2.1.4" + Task = "Ensure package manager repositories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "1.2.2.1" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "1.3.1.1" + Task = "Ensure SELinux is installed" + Test = { + rpm -q libselinux 2>&1 >/dev/null + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.3.1.2" + Task = "Ensure SELinux is not disabled in bootloader configuration" + Test = { + $script = $scriptPath + "1.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.3" + Task = "Ensure SELinux policy is configured" + Test = { + $script = $scriptPath + "1.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.4" + Task = "Ensure the SELinux mode is not disabled" + Test = { + $result1 = getenforce + $result2 = grep -Ei '^\s*SELINUX=(enforcing|permissive)' /etc/selinux/config + if (($result1 -match "Enforcing" -or $result1 -match "Permissive") -and ($result2 -match "SELINUX=enforcing" -or $result2 -match "SELINUX=permissive")) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.3.1.5" + Task = "Ensure the SELinux mode is enforcing" + Test = { + $script = $scriptPath + "1.3.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +# MISSING RULE: 1.3.1.6 - Ensure no unconfined services exist +[AuditTest] @{ + Id = "1.3.1.7" + Task = "Ensure the MCS Translation Service (mcstrans) is not installed" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.3.1.8" + Task = "Ensure SETroubleshoot is not installed" + Test = { + rpm -q setroubleshoot 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure bootloader password is set" + Test = { + $result = awk -F. '/^\s*GRUB2_PASSWORD/ {print $1"."$2"."$3}' /boot/grub2/user.cfg + if ($result -match "GRUB2_PASSWORD=grub.pbkdf2.sha512") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure access to bootloader config is configured" + Test = { + $script = $commonPath + "1.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure address space layout randomization is enabled" + Test = { + $script = $commonPath + "1.5.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure ptrace_scope is restricted" + Test = { + $script = $commonPath + "1.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure core dump backtraces are disabled" + Test = { + $script = $scriptPath + "1.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.4" + Task = "Ensure core dump storage is disabled" + Test = { + $script = $scriptPath + "1.5.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.1" + Task = "Ensure system wide crypto policy is not set to legacy" + Test = { + $script = $scriptPath + "1.6.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.2" + Task = "Ensure system wide crypto policy is not set in sshd configuration" + Test = { + $script = $scriptPath + "1.6.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +# MISSING RULE: 1.6.3 - Ensure system wide crypto policy disables sha1 hash and signature support +# MISSING RULE: 1.6.4 - Ensure system wide crypto policy disables macs less than 128 bits +# MISSING RULE: 1.6.5 - Ensure system wide crypto policy disables cbc for ssh +# MISSING RULE: 1.6.6 - Ensure system wide crypto policy disables chacha20-poly1305 for ssh +# MISSING RULE: 1.6.7 - Ensure system wide crypto policy disables EtM for ssh +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure message of the day is configured properly" + Test = { + $script = $scriptPath + "1.7.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure access to /etc/motd is configured" + Test = { + $script = $scriptPath + "1.7.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure permissions on /etc/issue are configured" + Test = { + $result = stat -c "%a" /etc/issue + if ($result -eq 644) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.7.6" + Task = "Ensure permissions on /etc/issue.net are configured" + Test = { + $result = stat -c "%a" /etc/issue.net + if ($result -eq 644) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.1" + Task = "Ensure GNOME Display Manager is removed" + Test = { + rpm -q gdm 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.2" + Task = "Ensure GDM login banner is configured" + Test = { + $resultScript = $scriptPath + "1.8.2.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.3" + Task = "Ensure GDM disable-user-list option is enabled" + Test = { + $resultScript = $scriptPath + "1.8.3.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.4" + Task = "Ensure GDM screen locks when the user is idle" + Test = { + $resultScript = $scriptPath + "1.8.4.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.5" + Task = "Ensure GDM screen locks cannot be overridden" + Test = { + $resultScript = $scriptPath + "1.8.5.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.6" + Task = "Ensure GDM automatic mounting of removable media is disabled" + Test = { + $resultScript = $scriptPath + "1.8.6.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.7" + Task = "Ensure GDM disabling automatic mounting of removable media is not overridden" + Test = { + $resultScript = $scriptPath + "1.8.7.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.8" + Task = "Ensure GDM autorun-never is enabled" + Test = { + $resultScript = $scriptPath + "1.8.8.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.9" + Task = "Ensure GDM autorun-never is not overridden" + Test = { + $resultScript = $scriptPath + "1.8.9.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.8.10" + Task = "Ensure XDMCP is not enabled" + Test = { + $script = $scriptPath + "1.8.10.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.1.1" + Task = "Ensure time synchronization is in use" + Test = { + rpm -q chrony 2>&1 >/dev/null + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.1.2" + Task = "Ensure chrony is configured" + Test = { + $test = grep -E "^(server|pool)" /etc/chrony.conf | grep OPTIONS\s*-u\s*chrony + if ($test -match "OPTIONS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.1.3" + Task = "Ensure dhcp server services are not in use" + Test = { + rpm -q isc-dhcp-server 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server.service + if (! $?) { + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server6.service + if (! $?) { + return $retCompliant + } + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.4" + Task = "Ensure dns server services are not in use" + Test = { + rpm -q bind9 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null bind9.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +# MISSING RULE: 2.1.5 - Ensure dnsmasq services are not in use +[AuditTest] @{ + Id = "2.1.6" + Task = "Ensure samba file server services are not in use" + Test = { + rpm -q samba 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null samba.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.7" + Task = "Ensure ftp server services are not in use" + Test = { + rpm -q vsftpd 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null vsftpd.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.8" + Task = "Ensure message access server services are not in use" + Test = { + rpm -q dovecot-imapd 2>&1 >/dev/null + if ($?) { + return $retNonCompliant + } + rpm -q dovecot-pop3d 2>&1 >/dev/null + if ($?) { + return $retNonCompliant + } + $test3 = systemctl is-enabled 2>/dev/null dovecot.socket + if (! $?) { + $test4 = systemctl is-enabled 2>/dev/null dovecot.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.9" + Task = "Ensure network file system services are not in use" + Test = { + rpm -q nfs-kernel-server 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null nfs-kernel.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.10" + Task = "Ensure nis server services are not in use" + Test = { + rpm -q ypserv 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null ypserv.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.11" + Task = "Ensure print server services are not in use" + Test = { + rpm -q cups 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null cups.service + if (! $?) { + $test3 = systemctl is-enabled 2>/dev/null cups.socket + if (! $?) { + return $retCompliant + } + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.12" + Task = "Ensure rpcbind services are not in use" + Test = { + rpm -q rpcbind 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null rpcbind.service + if (! $?) { + $test3 = systemctl is-enabled 2>/dev/null rpcbind.socket + if (! $?) { + return $retCompliant + } + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.13" + Task = "Ensure rsync services are not in use" + Test = { + $script = $commonPath + "2.1.13.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.15" + Task = "Ensure snmp services are not in use" + Test = { + rpm -q snmpd 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null snmpd.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +# MISSING RULE: 2.1.15 - Ensure telnet server services are not in use +[AuditTest] @{ + Id = "2.1.16" + Task = "Ensure tftp server services are not in use" + Test = { + rpm -q tftpd-hpa 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null tftpd-hpa.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.17" + Task = "Ensure web proxy server services are not in use" + Test = { + rpm -q squid 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null squid.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.18" + Task = "Ensure web server services are not in use" + Test = { + rpm -q apache2 2>&1 >/dev/null + if ($?) { + return $retNonCompliant + } + rpm -q ginx 2>&1 >/dev/null + if ($?) { + return $retNonCompliant + } + else { + $services = 'apache2.service', 'apache2.socket', 'nginx.service', 'nginx.socket' + $test3 = "disabled" + foreach ($service in $services) { + $test4 = systemctl is-enabled $service 2>/dev/null + if ($?) { + $test3 = "enabled" + } + } + if ($test3 -match "disabled") { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.19" + Task = "Ensure xinetd services are not in use" + Test = { + rpm -q xinetd 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + $test2 = systemctl is-enabled 2>/dev/null xinetd.service + if (! $?) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.1.20" + Task = "Ensure X window server services are not in use" + Test = { + rpm -q xserver-commen 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + return $retNonCompliant + } +} + +# MISSING RULE: 2.1.21 - Ensure mail transfer agents are configured for local-only mode +[AuditTest] @{ + Id = "2.1.22" + Task = "Ensure only approved services are listening on a network interface" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure xorg-x11-server-common is not installed" + Test = { + rpm -q xorg-x11-server-common 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure Avahi Server is not installed" + Test = { + rpm -q avahi 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure CUPS is not installed" + Test = { + rpm -q cups 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure DHCP Server is not installed" + Test = { + rpm -q dhcp-server 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure DNS Server is not installed" + Test = { + rpm -q bind 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.3.2" + Task = "Ensure LDAP client is not installed" + Test = { + rpm -q openldap-clients 2>&1 >/dev/null + if (! $?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.3.3" + Task = "Ensure chrony is not run as the root user" + Test = { + $script = $scriptPath + "2.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.4.1.1" + Task = "Ensure cron daemon is enabled and active" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if ($test1 -eq "enabled" -and $test2 -match "running") { + return $retCompliant + } + return $retCompliant + } +} + +[AuditTest] @{ + Id = "2.4.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $result1 = stat -c "%a" /etc/crontab + if ($result1 -eq 600 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.hourly + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.daily + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.weekly + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.monthly + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.d + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "2.4.1.8" + Task = "Ensure crontab is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.4.2.1" + Task = "Ensure at is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "Ensure IPv6 status is identified" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $script = $commonPath + "3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.3" + Task = "Ensure TIPC is disabled" + Test = { + $resultScript = $scriptPath + "3.1.3.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure dccp kernel module is not available" + Test = { + $script = $commonPath + "3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure tipc kernel module is not available" + Test = { + $script = $commonPath + "3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.3" + Task = "Ensure rds kernel module is not available" + Test = { + $script = $commonPath + "3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.4" + Task = "Ensure sctp kernel module is not available" + Test = { + $script = $commonPath + "3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure ip forwarding is disabled" + Test = { + $script = $commonPath + "3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure packet redirect sending is disabled" + Test = { + $script = $commonPath + "3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure bogus icmp responses are ignored" + Test = { + $script = $commonPath + "3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure broadcast icmp requests are ignored" + Test = { + $script = $commonPath + "3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure secure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure reverse path filtering is enabled" + Test = { + $script = $commonPath + "3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure source routed packets are not accepted" + Test = { + $script = $commonPath + "3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure suspicious packets are logged" + Test = { + $script = $commonPath + "3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.10" + Task = "Ensure tcp syn cookies is enabled" + Test = { + $script = $commonPath + "3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.11" + Task = "Ensure ipv6 router advertisements are not accepted" + Test = { + $script = $commonPath + "3.3.11.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "4.1.1" + Task = "Ensure nftables is installed" + Test = { + rpm -q nftables 2>&1 >/dev/null + if ($result -match "nftables-") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "4.1.2" + Task = "Ensure a single firewall configuration utility is in use" + Test = { + $resultScript = $scriptPath + "4.1.2.sh" + $result = bash $resultScript + if ($result -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "4.2.1" + Task = "Ensure firewalld drops unnecessary services and ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +# MISSING RULE: 4.2.2 - Ensure firewalld loopback traffic is configured +[AuditTest] @{ + Id = "4.3.1" + Task = "Ensure nftables base chains exist" + Test = { + try { + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if ($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch { + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} + + +[AuditTest] @{ + Id = "4.3.2" + Task = "Ensure nftables established connections are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "4.3.3" + Task = "Ensure nftables default deny firewall policy" + Test = { + $result1 = systemctl --quiet is-enabled nftables.service && nft list ruleset | grep 'hook input' | grep -v 'policy drop' + $result2 = systemctl --quiet is-enabled nftables.service && nft list ruleset | grep 'hook forward' | grep -v 'policy drop' + if ($result1 -eq $null -and $result2 -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +### Chapter 4 - Logging and Auditing + +[AuditTest] @{ + Id = "4.3.4" + Task = "Ensure nftables loopback traffic is configured" + Test = { + try { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + if ($isIPv6Disabled -ne $true) { + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if ($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop") { + return $retCompliant + } + } + else { + $test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + if ($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop') { + return $retCompliant + } + } + return $retNonCompliant + } + catch { + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} + +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled" + Test = { + $result1 = systemctl is-enabled crond + if ($result1 -match "enabled") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $result1 = stat -c "%a" /etc/crontab + if ($result1 -eq 600 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $script = $commonPath + "5.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.daily + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.weekly + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.monthly + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $result1 = stat -c "%a" /etc/cron.d + if ($result1 -eq 700 ) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure cron is restricted to authorized users" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + if rpm -q cronie 2>&1 >/dev/null >/dev/null; then + [ -e /etc/cron.deny ] && echo "Fail: cron.deny exists" + if [ ! -e /etc/cron.allow ]; then + echo "Fail: cron.allow doesn't exist" + else + ! stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" && echo "Fail: cron.allow mode too permissive" + ! stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$" && echo "Fail: cron.allow owner and/or group not root" + fi + if [ ! -e /etc/cron.deny ] && [ -e /etc/cron.allow ] && stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" \ && stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$"; then + echo "Pass" + fi + else + echo "PASS: cron is not installed on the system" + fi +} +'@ + $script = bash -c $script_string + if ($script -match "PASS") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" + Test = { + $script = $scriptPath + "5.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.10" + Task = "Ensure sshd DisableForwarding is enabled" + Test = { + $script = $scriptPath + "5.1.10.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.11" + Task = "Ensure sshd GSSAPIAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.11.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.12" + Task = "Ensure sshd HostbasedAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.12.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.13" + Task = "Ensure sshd IgnoreRhosts is enabled" + Test = { + $script = $scriptPath + "5.1.13.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.14" + Task = "Ensure sshd LoginGraceTime is configured" + Test = { + $script = $scriptPath + "5.1.14.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.15" + Task = "Ensure sshd LogLevel is configured" + Test = { + $script = $scriptPath + "5.1.15.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.16" + Task = "Ensure sshd MaxAuthTries is configured" + Test = { + $script = $commonPath + "5.1.16.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.17" + Task = "Ensure sshd MaxStartups is configured" + Test = { + $script = $scriptPath + "5.1.17.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.18" + Task = "Ensure sshd MaxSessions is configured" + Test = { + $script = $scriptPath + "5.1.18.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.19" + Task = "Ensure sshd PermitEmptyPasswords is disabled" + Test = { + $script = $commonPath + "5.1.19.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.20" + Task = "Ensure sshd PermitRootLogin is disabled" + Test = { + $script = $commonPath + "5.1.20.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.21" + Task = "Ensure sshd PermitUserEnvironment is disabled" + Test = { + $script = $commonPath + "5.1.21.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.22" + Task = "Ensure sshd UsePAM is enabled" + Test = { + $script = $commonPath + "5.1.22.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure permissions on /etc/ssh/sshd_config are configured" + Test = { + $result1 = stat -Lc "%n %a %u/%U %g/%G" /etc/ssh/sshd_config + if ($result1 -match "/etc/ssh/sshd_config 600 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure sudo commands use pty" + Test = { + $script = $commonPath + "5.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure sudo log file exists" + Test = { + $script = $commonPath + "5.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure SSH access is limited" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' + $test2 = grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config + if ($test1 -match "allowusers " -or $test1 -match "allowgroups " -or $test1 -match "denyusers " -or $test1 -match "denygroups " -or + $test2 -match "allowusers " -or $test2 -match "allowgroups " -or $test2 -match "denyusers " -or $test2 -match "denygroups ") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure SSH LogLevel is appropriate" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' + $test2 = grep -Pi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config + if (($test1 -match "allowusers " -or $test1 -match "allowgroups " -or $test1 -match "denyusers " -or $test1 -match "denygroups ") -and + ($test2 -match "allowusers " -or $test2 -match "allowgroups " -or $test2 -match "denyusers " -or $test2 -match "denygroups ")) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure sudo authentication timeout is configured correctly" + Test = { + $script = $commonPath + "5.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure SSH root login is disabled" + Test = { + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin + $test2 = grep -Ei '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config + if ($test1 -match "permitrootlogin no" -and $test2 -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.3.1.1" + Task = "Ensure latest version of pam is installed" + Test = { + rpm -q libpam-runtime 2>&1 >/dev/null + if ($?) { + return $retNonCompliant + } + return $retCompliant + } +} + +# MISSING RULE: 5.3.1.2 - Ensure latest version of authselect is installed +# MISSING RULE: 5.3.1.3 - Ensure latest version of libpwquality is installed +# MISSING RULE: 5.3.2.1 - Ensure active authselect profile includes pam modules +[AuditTest] @{ + Id = "5.3.2.2" + Task = "Ensure pam_faillock module is enabled" + Test = { + $script = $scriptPath + "5.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.3" + Task = "Ensure pam_pwquality module is enabled" + Test = { + $script = $scriptPath + "5.3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.4" + Task = "Ensure pam_pwhistory module is enabled" + Test = { + $script = $scriptPath + "5.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.5" + Task = "Ensure pam_unix module is enabled" + Test = { + $script = $scriptPath + "5.3.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.1" + Task = "Ensure password failed attempts lockout is configured" + Test = { + $script = $commonPath + "5.3.3.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.2" + Task = "Ensure password unlock time is configured" + Test = { + $script = $commonPath + "5.3.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.3" + Task = "Ensure password failed attempts lockout includes root account" + Test = { + $script = $commonPath + "5.3.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.1" + Task = "Ensure password number of changed characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.2" + Task = "Ensure password length is configured" + Test = { + $script = $commonPath + "5.3.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.3" + Task = "Ensure password complexity is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "5.3.3.2.4" + Task = "Ensure password same consecutive characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.5" + Task = "Ensure password maximum sequential characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.6" + Task = "Ensure password dictionary check is enabled" + Test = { + $script = $commonPath + "5.3.3.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.7" + Task = "Ensure password quality is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.1" + Task = "Ensure password history remember is configured" + Test = { + $script = $scriptPath + "5.3.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.2" + Task = "Ensure password history is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.3" + Task = "Ensure pam_pwhistory includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.3.4.1" + Task = "Ensure pam_unix does not include nullok" + Test = { + $script = $commonPath + "5.3.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.3.4.2" + Task = "Ensure pam_unix does not include remember" + Test = { + $script = $scriptPath + "5.3.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.3" + Task = "Ensure pam_unix includes a strong password hashing algorithm" + Test = { + $script = $scriptPath + "5.3.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.4" + Task = "Ensure pam_unix includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.1" + Task = "Ensure password expiration is configured" + Test = { + $script = $commonPath + "5.4.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.2" + Task = "Ensure minimum password days is configured" + Test = { + $script = $commonPath + "5.4.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.3" + Task = "Ensure password expiration warning days is configured" + Test = { + $script = $commonPath + "5.4.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.4" + Task = "Ensure strong password hashing algorithm is configured" + Test = { + $script = $commonPath + "5.4.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.5" + Task = "Ensure inactive password lock is configured" + Test = { + $script = $commonPath + "5.4.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.6" + Task = "Ensure all users last password change date is in the past" + Test = { + $resultScript = $scriptPath + "5.4.1.6.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.4.2.1" + Task = "Ensure root is the only UID 0 account" + Test = { + $resultScript = $scriptPath + "5.4.2.1.sh" + $result = bash $resultScript + if ($result -eq "root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.2.2" + Task = "Ensure root is the only GID 0 account" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if ($test1 -eq 0) { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.3" + Task = "Ensure group root is the only GID 0 group" + Test = { + $script = $commonPath + "5.4.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +# MISSING RULE: 5.4.2.4 - Ensure root account access is controlled +[AuditTest] @{ + Id = "5.4.2.5" + Task = "Ensure root PATH Integrity" + Test = { + $resultScript = $scriptPath + "5.4.2.5.sh" + $result = bash $resultScript + if ($result -match "is not a directory") { + return $retNonCompliant + } + else { + return $retCompliant + } + } +} + + +[AuditTest] @{ + Id = "5.4.2.6" + Task = "Ensure root user umask is configured" + Test = { + $script = $commonPath + "5.4.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.7" + Task = "Ensure system accounts do not have a valid login shell" + Test = { + $script = $commonPath + "5.4.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.8" + Task = "Ensure accounts without a valid login shell are locked" + Test = { + $script = $commonPath + "5.4.2.8.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "5.4.3.1" + Task = "Ensure nologin is not listed in /etc/shells" + Test = { + $script = $commonPath + "5.4.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.2" + Task = "Ensure default user shell timeout is configured" + Test = { + $script = $commonPath + "5.4.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.3" + Task = "Ensure default user umask is configured" + Test = { + $script = $commonPath + "5.4.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + Test = { + $script = $commonPath + "6.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.1.1" + Task = "Ensure journald service is enabled and active" + Test = { + $test1 = systemctl is-enabled rsyslog + if ($test1 -match "enabled") { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} + +[AuditTest] @{ + Id = "6.2.1.2" + Task = "Ensure journald log file access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.2.1.3" + Task = "Ensure journald log file rotation is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +# MISSING RULE: 6.2.1.4 - Ensure only one logging system is in use + +[AuditTest] @{ + Id = "6.2.2.1.1" + Task = "Ensure systemd-journal-remote is installed" + Test = { + rpm -q systemd-journal-remote 2>&1 >/dev/null + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + + +# MISSING RULE: 6.2.2.1.2 - Ensure systemd-journal-upload authentication is configured + +[AuditTest] @{ + Id = "6.2.2.1.3" + Task = "Ensure systemd-journal-upload is enabled and active" + Test = { + $test1 = systemctl is-enabled systemd-journal-upload.service + $test2 = systemctl is-active systemd-journal-upload.service + if ($test1 -eq "enabled" -and $test2 -match "active") { + return $retCompliant + } + return $retCompliant + } +} + +[AuditTest] @{ + Id = "6.2.2.1.4" + Task = "Ensure systemd-journal-remote service is not in use" + Test = { + $script = $scriptPath + "6.2.2.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.2.2" + Task = "Ensure journald ForwardToSyslog is disabled" + Test = { + $script = $scriptPath + "6.2.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.2.3" + Task = "Ensure journald Compress is configured" + Test = { + $script = $scriptPath + "6.2.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.2.4" + Task = "Ensure journald Storage is configured" + Test = { + $script = $scriptPath + "6.2.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.3.1" + Task = "Ensure rsyslog is installed" + Test = { + rpm -q rsyslog 2>&1 >/dev/null + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +# MISSING RULE: 6.2.3.2 - Ensure rsyslog service is enabled and active +[AuditTest] @{ + Id = "6.2.3.3" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + rpm -q systemd-journal-remote 2>&1 >/dev/null + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.2.3.4" + Task = "Ensure rsyslog log file creation mode is configured" + Test = { + $script = $scriptPath + "6.2.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +# MISSING RULE: 6.2.3.5 - Ensure rsyslog logging is configured +[AuditTest] @{ + Id = "6.2.3.6" + Task = "Ensure rsyslog is configured to send logs to a remote log host" + Test = { + return $retNonCompliantManualReviewRequired + } +} + + +[AuditTest] @{ + Id = "6.2.3.7" + Task = "Ensure rsyslog is not configured to receive logs from a remote client" + Test = { + $script = $scriptPath + "6.2.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +# MISSING RULE: 6.2.3.8 - Ensure rsyslog logrotate is configured + +[AuditTest] @{ + Id = "6.2.4.1" + Task = "Ensure access to all logfiles has been configured" + Test = { + $fileListAll = find /var/log -type f -ls + $fileListFiltered = find /var/log -type f -ls | grep "\-....\-\-\-\-\-" + if ($fileListAll.Count -eq $fileListFiltered.Count) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.3.1.1" + Task = "Ensure auditd packages are installed" + Test = { + rpm -q auditd 2>&1 >/dev/null + if (! $?) { + return $retNonCompliant + } + rpm -q audispd-plugins 2>&1 >/dev/null + if (! $?) { + return $retNonCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.3.1.2" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $script = $scriptPath + "6.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.1.3" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $script = $scriptPath + "6.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.3.1.4" + Task = "Ensure auditd service is enabled and active" + Test = { + $test1 = systemctl is-enabled auditd + if ($test1 -match "enabled") { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.3.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + $script = $commonPath + "6.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $script = $commonPath + "6.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $result1 = grep space_left_action /etc/audit/auditd.conf + $result2 = grep action_mail_acct /etc/audit/auditd.conf + $result3 = grep -E 'admin_space_left_action\s*=\s*(halt|single)' /etc/audit/auditd.conf + if ($result1 -match "space_left_action = email" -and $result2 -match "action_mail_acct = root" -and ($result3 -match "admin_space_left_action = halt" -or $result3 -match "admin_space_left_action = single")) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.3.2.4" + Task = "Ensure system warns when audit logs are low on space" + Test = { + $test1 = grep -Pi -- '^\h*space_left_action\h*=\h*\w+\b' /etc/audit/auditd.conf | awk '{print $3}' + if ($test1 -match "^(email|exec|single|halt)$") { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.3.3.1" + Task = "Ensure changes to system administration scope (sudoers) is collected" + Test = { + $script = $commonPath + "6.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.2" + Task = "Ensure actions as another user are always logged" + Test = { + $script = $commonPath + "6.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.3" + Task = "Ensure events that modify the sudo log file are collected" + Test = { + $script = $commonPath + "6.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.4" + Task = "Ensure events that modify date and time information are collected" + Test = { + $script = $commonPath + "6.3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $script = $commonPath + "6.3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.6" + Task = "Ensure use of privileged commands are collected" + Test = { + $script = $commonPath + "6.3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.7" + Task = "Ensure unsuccessful file access attempts are collected" + Test = { + $script = $commonPath + "6.3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.8" + Task = "Ensure events that modify user/group information are collected" + Test = { + $script = $commonPath + "6.3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $script = $commonPath + "6.3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.10" + Task = "Ensure successful file system mounts are collected" + Test = { + $script = $commonPath + "6.3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.11" + Task = "Ensure session initiation information is collected" + Test = { + $script_string1 = @' +#!/usr/bin/env bash +{ + awk '/^ *-w/ &&(/\/var\/run\/utmp/ ||/\/var\/log\/wtmp/ ||/\/var\/log\/btmp/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} +'@ + $script_string2 = @' +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ &&(/\/var\/run\/utmp/ ||/\/var\/log\/wtmp/ ||/\/var\/log\/btmp/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} +'@ + $result1 = bash -c $script_string1 + $result2 = bash -c $script_string2 + if ($result1 -match "-w /var/run/utmp -p wa -k session" -and $result1 -match "-w /var/log/wtmp -p wa -k session" -and $result1 -match "-w /var/log/btmp -p wa -k session" -and + $result2 -match "-w /var/run/utmp -p wa -k session" -and $result2 -match "-w /var/log/wtmp -p wa -k session" -and $result2 -match "-w /var/log/btmp -p wa -k session") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + + +[AuditTest] @{ + Id = "6.3.3.12" + Task = "Ensure login and logout events are collected" + Test = { + $script = $commonPath + "6.3.3.12.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.13" + Task = "Ensure file deletion events by users are collected" + Test = { + $script = $commonPath + "6.3.3.13.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.14" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $script = $commonPath + "6.3.3.14.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.15" + Task = "Ensure successful and unsuccessful attempts to use the chcon command are recorded" + Test = { + $script = $commonPath + "6.3.3.15.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.16" + Task = "Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.16.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.17" + Task = "Ensure successful and unsuccessful attempts to use the chacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.17.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.18" + Task = "Ensure successful and unsuccessful attempts to use the usermod command are recorded" + Test = { + $script = $commonPath + "6.3.3.18.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.19" + Task = "Ensure kernel module loading unloading and modification is collected" + Test = { + $script = $commonPath + "6.3.3.19.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.20" + Task = "Ensure the audit configuration is immutable" + Test = { + $result1 = grep -Ph -- '^\h*-e\h+2\b' /etc/audit/rules.d/*.rules | tail -1 + if ($result1 -match "-e 2") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.3.3.21" + Task = "Ensure the running and on disk configuration is the same" + Test = { + $result1 = augenrules --check + if ($result1 -match "/usr/sbin/augenrules: No change") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "6.3.4.1" + Task = "Ensure the audit log file directory mode is configured" + Test = { + $script = $scriptPath + "6.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.2" + Task = "Ensure audit log files mode is configured" + Test = { + $script = $scriptPath + "6.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.3" + Task = "Ensure audit log files owner is configured" + Test = { + $script = $scriptPath + "6.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.4" + Task = "Ensure audit log files group owner is configured" + Test = { + $script = $scriptPath + "6.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.5" + Task = "Ensure audit configuration files mode is configured" + Test = { + $script = $commonPath + "6.3.4.5.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.6" + Task = "Ensure audit configuration files owner is configured" + Test = { + $script = $commonPath + "6.3.4.6.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.7" + Task = "Ensure audit configuration files group owner is configured" + Test = { + $script = $commonPath + "6.3.4.7.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.8" + Task = "Ensure audit tools mode is configured" + Test = { + $script = $commonPath + "6.3.4.8.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.9" + Task = "Ensure audit tools owner is configured" + Test = { + $script = $commonPath + "6.3.4.9.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.3.4.10" + Task = "Ensure audit tools group owner is configured" + Test = { + $test1 = stat -Lc '%G' /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | awk '$1 != "root" {print}' + if ($test1 -eq $null) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "7.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/passwd- + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "7.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd- | grep -q "0644" + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "7.1.3" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/group + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.4" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/group- + if ($test1 -match "644 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.5" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/shadow + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/shadow- + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.8" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat -Lc "%n %a %u/%U %g/%G" /etc/gshadow- + if ($test1 -match "0 0/root 0/root") { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.1.9" + Task = "Ensure permissions on /etc/shells are configured" + Test = { + $script = $commonPath + "7.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "7.1.10" + Task = "Ensure permissions on /etc/security/opasswd are configured" + Test = { + $script = $commonPath + "7.1.10.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "7.1.11" + Task = "Ensure world writable files and directories are secured" + Test = { + #$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*') + #$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + $script = $commonPath + "7.1.11.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "7.1.12" + Task = "Ensure no files or directories without an owner and a group exist" + Test = { + $script = $commonPath + "7.1.12.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "7.1.13" + Task = "Ensure SUID and SGID files are reviewed" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + $message = "" + foreach ($line in $test1) { + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} + +[AuditTest] @{ + Id = "7.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $resultScript = $scriptPath + "7.2.1.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $resultScript = $scriptPath + "7.2.2.sh" + $result = bash $resultScript + if ($result -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.4" + Task = "Ensure no duplicate UIDs exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.5" + Task = "Ensure no duplicate GIDs exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f3 /etc/group | sort | uniq -d | while read x ; do + echo "Duplicate GID ($x) in /etc/group" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.6" + Task = "Ensure no duplicate user names exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do + echo "Duplicate login name $x in /etc/passwd" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "7.2.7" + Task = "Ensure no duplicate group names exist" + Test = { + $script_string = @' +#!/usr/bin/env bash +{ + cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do + echo "Duplicate group name $x in /etc/group" + done +} +'@ + $script = bash -c $script_string + if ($script -eq $null) { + return $retCompliant + } + else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "7.2.8" + Task = "Ensure local interactive user home directories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "7.2.9" + Task = "Ensure local interactive user dot files access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + diff --git a/ATAPAuditor/AuditGroups/SBD - Application Control.ps1 b/ATAPAuditor/AuditGroups/SBD - Application Control.ps1 new file mode 100644 index 0000000..0c0dcca --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - Application Control.ps1 @@ -0,0 +1,68 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +[AuditTest] @{ + Id = "SBD-501" + Task = "Ensure Windows Defender Application Control (WDAC) is available." + Test = { + # check newer than win10 + $osVersion = (Get-CimInstance Win32_OperatingSystem).Version + # check whether system is server version 16 or newer + $windowsServerVersions = @( + "Windows Server 2016", + "Windows Server 2019", + "Windows Server 2022" + ) + $isServer2016newer = $windowsServerVersions -contains $os + if( $osVersion -ge '10.0.0.0' -or $isServer2016newer -eq $true){ + return @{ + Message = "Your device supports WDAC." + Status = "True" + } + } + return @{ + Message = "Only supported on Windows 10 and newer, as well as Windows Server 2016 and newer." + Status = "None" + } + } +} +[AuditTest] @{ + Id = "SBD-502" + Task = "Ensure Windows Defender Application ID Service is running." + Test = { + try{ + if((Get-Service -Name APPIDSvc -ErrorAction Stop).Status -eq "Running"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "AppLocker is not running. Currently: $((Get-Service -Name APPIDSvc -ErrorAction Stop).Status)" + Status = "False" + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "False" + } + } + } +} +# [AuditTest] @{ Check for executable rules - windows installer rules - script rules - packaged app rules +# Id = "SBD-042" +# Task = "Ensure Windows Defender Application ID Service is running." +# Test = { +# if((Get-Service -Name APPIDSvc).Status -eq "Running"){ +# return @{ +# Message = "Compliant" +# Status = "True" +# } +# } +# return @{ +# Message = "AppLocker is not running. Currently: $((Get-Service -Name APPIDSvc).Status)" +# Status = "False" +# } +# } +# } diff --git a/ATAPAuditor/AuditGroups/SBD - Connectivity Security.ps1 b/ATAPAuditor/AuditGroups/SBD - Connectivity Security.ps1 new file mode 100644 index 0000000..f56c520 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - Connectivity Security.ps1 @@ -0,0 +1,1434 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$listOfWeakCipherSuites = getListOfWeakCipherSuites +$listOfInsecureCipherSuites = getListOfInsecureCipherSuites +[AuditTest] @{ + Id = "SBD-401" + Task = "Ensure system is configured to deny remote access via Terminal Services." + Test = { + $value = (Get-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "System is not configured to deny remote access via Terminal Services." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-402" + Task = "Ensure system is configured to prevent RDP service." + Test = { + $value = (Get-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\Terminal Server").AllowRemoteRPC + if($value -eq 0){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "System is not configured to prevent RDP service." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-403" + Task = "Ensure NTLM Session Server Security settings are configured." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0').NtlmMinServerSec + if($value -eq 537395200){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "NTLM Session Server Security settings are configured. Currently: $($value)" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-404" + Task = "Ensure WinFW Service is running." + Test = { + try{ + $value = (Get-Service WinRM -ErrorAction Stop).status + if($value -eq "Running"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + catch [System.SystemException]{ + return @{ + Message = "Service not found!" + Status = "False" + } + } + return @{ + Message = "WinFW Service is not running. Currently: $($value)" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-405" + Task = "Ensure NetBIOS is set to 'Disabled' for all active Network cards." + Test = { + try{ + $networkCards = Get-WmiObject win32_networkadapterconfiguration -filter 'IPEnabled=true' | select Description, TcpipNetBIOSOptions + $nonCompliantCards = @() + + for($i = 0; $i -lt $networkCards.Count; $i++){ + if($networkCards[$i].TcpipNetBIOSOptions -ne 0){ + $nonCompliantCards += $networkCards[$i] + } + } + + if($nonCompliantCards.Count -eq 0){ + return @{ + Message = "Compliant" + Status = "True" + } + } + if($nonCompliantCards.Count -eq $networkCards.Count){ + return @{ + Message = "All network cards have NETBIOS enabled." + Status = "False" + } + } + $message = "Following network cards have NETBIOS enabled: " + $nonCompliantCards.Description + return @{ + Message = $message + Status = "Warning" + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Value not found." + Status = "Error" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Value not found." + Status = "Error" + } + } + } +} +[AuditTest] @{ + Id = "SBD-406" + Task = "Ensure SMBv1 is set to 'Disabled'." + Test = { + $value = (Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).State + if($value -eq "Disabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "SMBv1 is Enabled." + Status = "False" + } + } +} + +[AuditTest] @{ + Id = "SBD-407" + Task = "Disable SSLv2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-408" + Task = "Disable SSLv2 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-409" + Task = "Disable SSLv2 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-410" + Task = "Disable SSLv2 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-411" + Task = "Disable SSLv3 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-412" + Task = "Disable SSLv3 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-413" + Task = "Disable SSLv3 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-414" + Task = "Disable SSLv3 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-415" + Task = "Disable TLS1.0 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-416" + Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-417" + Task = "Disable TLS1.0 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-418" + Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-419" + Task = "Disable TLS1.1 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-420" + Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-421" + Task = "Disable TLS1.1 Protocol (Client)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-422" + Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-423" + Task = "Enable TLS1.2 Protocol (Server)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-424" + Task = "Enable TLS1.2 Protocol (Server Default)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-425" + Task = "Enable TLS1.2 Protocol (Client)" + Test = { + $OS = Get-CimInstance Win32_OperatingSystem | Select-Object Caption + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if($OS -match "Server 2022" -or $OS -match "Windows 11"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-426" + Task = "Enable TLS1.2 Protocol (Client DisabledByDefault)" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" ` + -Name "DisabledByDefault" ` + | Select-Object -ExpandProperty "DisabledByDefault" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-427" + Task = "Disable NULL Cipher" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-428" + Task = "Disable DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-429" + Task = "Disable RC4 Cipher Suite - 40/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-430" + Task = "Disable RC4 Cipher Suite - 56/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-431" + Task = "Disable RC4 Cipher Suite - 64/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-432" + Task = "Disable RC4 Cipher Suite - 128/128" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-433" + Task = "Disable AES 128/128 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-434" + Task = "Enable AES 256/256 Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -eq 4294967295) { + return @{ + Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:
"` + +''` + +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings' + Status = "False" + } + } + if ($regValue -ne 1) { + return @{ + Message = "Registry value is '$regValue'. Expected: 1" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-435" + Task = "Disable Triple DES Cipher Suite" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-436" + Task = "Disable SHA-1 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-437" + Task = "Disable MD5 hash" + Test = { + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" ` + -Name "Enabled" ` + | Select-Object -ExpandProperty "Enabled" + + if ($regValue -ne 0) { + return @{ + Message = "Registry value is '$regValue'. Expected: 0" + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + return @{ + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + return @{ + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-438" + Task = "Configure Cipher Suite Ordering" + Test = { + #check if correct type + $typeTable = @{ + "String" = "String Value" + "Byte" = "Byte Value" + "Int32" = "DWORD (32-bit) Value" + "Int64" = "QWORD (64-bit) Value" + "String[]" = "Multi-String Value" + } + #Default status + $status = "Error" + + #Output + $verbInsecure = "rules have" + $verbWeak = "rules have" + + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + + $currentType = $typeTable[$res] + if ($res -ne [String]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue.Split(',') + $regValues = $regValues -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + } + catch { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + $currentType = $typeTable[$res] + if ($res -ne [String[]]) { + return @{ + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'" + Status = "False" + } + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + return @{ + Message = $message + Status = $status + } + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} diff --git a/ATAPAuditor/AuditGroups/SBD - Linux Base Security.ps1 b/ATAPAuditor/AuditGroups/SBD - Linux Base Security.ps1 new file mode 100644 index 0000000..8644305 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - Linux Base Security.ps1 @@ -0,0 +1,462 @@ +function getKernelVersion { + $vsplit = $(uname -r).split('-') + if ($vsplit[1] -match '\.') { # Fedora + $vsplit[1] = $vsplit[1].split('.')[0] + } + return [version]($vsplit[0] + '.' + $vsplit[1]) +} +function commandExists { + param ( + $command + ) + return [bool](Get-Command -Name $command -ErrorAction SilentlyContinue) +} +[AuditTest] @{ + Id = "DSBD-001" + Task = "Ensure the system is booting in UEFI mode." + Test = { + if (Test-Path -Path /sys/firmware/efi) { + $status = @{ + Message = "Compliant" + Status = "True" + } + } else { + $status = @{ + Message = "System is not booting using UEFI mode." + Status = "False" + } + } + return $status + } +} +[AuditTest] @{ + Id = "DSBD-002" + Task = "Ensure the system is using SecureBoot." + Test = { + if (Test-Path -Path /sys/firmware/efi) { + if ($(mokutil --sb-state) -eq "SecureBoot enabled") { + $status = @{ + Message = "Compliant" + Status = "True" + } + } else { + $status = @{ + Message = "System is not booting using UEFI mode." + Status = "False" + } + } + } else { + $status = @{ + Message = "SecureBoot is only supported on UEFI." + Status= "False" + } + } + return $status + } +} +[AuditTest] @{ + Id = "DSBD-003" + Task = "Ensure the system has a TPM Chip." + Test = { + if (Test-Path -Path /dev/tpm0) { # /dev/tpmrm0 is _only_ for TPM 2.0 + $status = @{ + Message = "Compliant" + Status = "True" + } + } else { + $status = @{ + Message = "Could not detect a TPM chip" + Status = "False" + } + } + return $status + } +} +[AuditTest] @{ + Id = "DSBD-004" + Task = "Ensure the TPM Chip is implementing specification version 2.0 or higher." + Test = { + if ($(getKernelVersion) -ge [version]'5.6.0.0') { # For Ubuntu 20.04 e.g. + $spec = [float](Get-Content -Path '/sys/class/tpm/tpm0/tpm_version_major') + } else { + $tpm2toolsMajorVersion = [int]($(tpm2_getcap -v) | Select-String -Pattern '^.+version=\"(\d)\..+$').Matches.Groups[1].Value + if ($tpm2toolsMajorVersion -le 3) { # old versions up to 3.x had a different syntax (Debian 9) + $text = $(tpm2_getcap -c properties-fixed) + $match = [regex]::matches($text, '(?smi)TPM_PT_FAMILY_INDICATOR: as UINT32: +0[xX][0-9a-fA-F]+ as string: +\"(\d\.\d)\"').Groups[1].Value + } else { # new versions 4.x (RHEL 8) + $text = $(tpm2_getcap properties-fixed) + $match = [regex]::matches($text, '(?smi)TPM2_PT_FAMILY_INDICATOR: raw: +0[xX][0-9a-fA-F]+ value: +\"(\d\.\d)\"').Groups[1].Value + } + $spec = [float]$match + } + + if ($spec -ge 2.0) { + return @{ + Message = "Compliant" + Status = "True" + } + } elseif ($spec -gt 0) { + return @{ + Message = "Specification version lower than 2.0 found." + Status = "Warning" + } + } else { + return @{ + Message = "No implemented specification version found." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-005" + Task = "Report the count of local users on the system." + Test = { + # Linux native alternative: grep -c ^ /etc/passwd + $countUsers = (Get-Content /etc/passwd).Count + return @{ + Message = "System has $countUsers local users" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "DSBD-006" + Task = "Report the count of local interactive users on the system." + Test = { + $countUsers = (Get-Content /etc/passwd | Where-Object {-not ($_ -match "/usr/sbin/nologin" -or $_ -match "/bin/false" -or $_ -match "/bin/sync")}).Count + $status = switch ($countUsers) { + {($PSItem -ge 0) -and ($PSItem -le 2)}{ # 0, 1, 2 + @{ + Message = "Compliant" + Status = "True" + } + } + {($PSItem -gt 2) -and ($PSItem -le 5)}{ # 3, 4, 5 + @{ + Message = "System has 3-5 local users." + Status = "Warning" + } + } + {$PSItem -gt 5}{ # 6, ... + @{ + Message = "System has 6 or more local users." + Status = "False" + } + } + Default { + @{ + Message = "Cannot determine the count of local users" + Status = "Error" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "DSBD-007" + Task = "Get the count of admin users on the system." + Test = { + $usersSudo = ($(getent group sudo) -split ":")[3] + $usersRoot = ($(getent group root) -split ":")[3] + $usersWheel = ($(getent group wheel) -split ":")[3] + $usersAdmin = ($(getent group admin) -split ":")[3] + $usersAdm = ($(getent group adm) -split ":")[3] + $userIdZero = ($(getent passwd 0) -split ":")[0] + $allUsersArr = @($usersSudo, $usersRoot, $usersWheel, $usersAdmin, $usersAdm, $userIdZero) | Where-Object {$_ -ne "" -and $_ -ne $null} | Sort-Object | Get-Unique + $status = switch ($allUsersArr.Count) { + {($PSItem -ge 0) -and ($PSItem -le 2)}{ # 0, 1, 2 + @{ + Message = "Compliant" + Status = "True" + } + } + {($PSItem -gt 2) -and ($PSItem -le 5)}{ # 3, 4, 5 + @{ + Message = "System has 3-5 admin users." + Status = "Warning" + } + } + {$PSItem -gt 5}{ # 6, ... + @{ + Message = "System has 6 or more admin users." + Status = "False" + } + } + Default { + @{ + Message = "Cannot determine the count of admin users" + Status = "Error" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "DSBD-008" + Task = "Ensure the NX bit is set." + Test = { + $query = (-split (Get-Content /proc/cpuinfo | Where-Object {$_ -match '^flags.*$'} | Get-Unique)) -Contains 'nx' + if ($query) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The NX bit is not set." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-009" + Task = "Ensure the ASLR is enabled." + Test = { + $query = [int](Get-Content /proc/sys/kernel/randomize_va_space) + if ($query -ge 2) { + return @{ + Message = "Compliant" + Status = "True" + } + } elseif ($query -eq 1) { + return @{ + Message = "ASLR is partially enabled." + Status = "Warning" + } + } else { + return @{ + Message = "ASLR is not enabled." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-010" + Task = "Ensure AppArmor or SELinux is enabled." + Test = { + if (commandExists 'aa-status') { + $AppArmorStatus = ($(aa-status) -match '^apparmor module is loaded.*$').Count -gt 0 + } + if (commandExists 'getenforce') { + $SELinuxStatus = ($(getenforce) -match 'Enforcing$').Count -gt 0 + } + + if ($AppArmorStatus -or $SELinuxStatus) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "Neither AppArmor nor SELinux are enabled." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-011" + Task = "Ensure CPU has no known vulnerabilities." + Test = { + $query = ((Get-Content /sys/devices/system/cpu/vulnerabilities/*) -match '^Vulnerable.*$').Count + if ($query -eq 0) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "System has $query known CPU vulnerabilities." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-012" + Task = "Ensure root login using SSH is not permitted." + Test = { + $rootLoginDisabled = [bool](Get-Content /etc/ssh/sshd_config | Select-String -Pattern '^PermitRootLogin no').Matches.Length + if ($rootLoginDisabled) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "Login for root using SSH is permitted." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-013" + Task = "Ensure a firewall is installed (ufw, iptables, nftables)." + Test = { + if (commandExists dpkg) { + $ufwInstalled = [bool]($(dpkg -s ufw 2> /dev/zero) -match 'Status: install').Count + $iptablesInstalled = [bool]($(dpkg -s iptables 2> /dev/zero) -match 'Status: install').Count + $nftablesInstalled = [bool]($(dpkg -s nftables 2> /dev/zero) -match 'Status: install').Count + } + if (commandExists rpm) { + $ufwInstalled = [bool]($(rpm -qa) -match '^ufw.+$').Count + $iptablesInstalled = [bool]($(rpm -qa) -match '^iptables.+$').Count + $nftablesInstalled = [bool]($(rpm -qa) -match '^nftables.+$').Count + } + if ($ufwInstalled -or $iptablesInstalled -or $nftablesInstalled) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "Login for root using SSH is permitted." + Status = "False" + } + } + } +} +function getFilePermissionsRegex { + Param( + [Parameter(Mandatory=$true)][String][ValidateNotNullOrEmpty()]$filePath + ) + $text = stat $filePath + $match = [regex]::matches($text, '\S+:\s+\((\d+)\/\S+\)\s+Uid:\s+\(\s*(\d+)\/\s+(\S+)\)\s+Gid:\s+\(\s+(\d+)\/\s+(\S+)\)') + return [ordered]@{ + permissionsOct = $match.Groups[1].Value + ownerUserId = $match.Groups[2].Value + ownerUserName = $match.Groups[3].Value + ownerGroupId = $match.Groups[4].Value + ownerGroupName = $match.Groups[5].Value + } +} +function checkFilePermissions { + Param( + [Parameter(Mandatory=$true)][String][ValidateNotNullOrEmpty()]$filePath, + [Parameter(Mandatory=$true)][String][ValidateNotNullOrEmpty()]$permissionsOct, + [Parameter(Mandatory=$true)][String][ValidateNotNullOrEmpty()]$ownerUserName, + [Parameter(Mandatory=$true)][String][ValidateNotNullOrEmpty()]$ownerGroupName + ) + # calculate mode + $item = Get-Item $filePath + $modeLowerBits = $item.UnixStat.Mode -band 4095 # 4095_(10) = 111111111111_(2) = 7777_(8) = FFF_(16) + $mode = [Convert]::ToString($modeLowerBits, 8) # Conversion not necessary in future: https://github.com/PowerShell/PowerShell/issues/16757 , alternative: stat -c '%a' /etc/passwd + # check for same or more restricted permissions + foreach ($i in 0..($mode.Length - 1)) { + if ($mode[$i] -gt $permissionsOct[$i]) { + return $false # = less restrictive + } + } + # check owning user and group + return $item.User -eq $ownerUserName -and $item.Group -eq $ownerGroupName +} +[AuditTest] @{ + Id = "DSBD-014" + Task = "Ensure /etc/passwd and /etc/passwd- have proper file permissions." + Test = { + $result = checkFilePermissions '/etc/passwd' '644' 'root' 'root' + if (Test-Path -Path '/etc/passwd-' -PathType Leaf) { + $result = $result -and (checkFilePermissions '/etc/passwd-' '644' 'root' 'root') + } + if ($result) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The file permissions are not set correctly." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-015" + Task = "Ensure /etc/shadow and /etc/shadow- have proper file permissions." + Test = { + $result = (checkFilePermissions '/etc/shadow' '640' 'root' 'root') -or (checkFilePermissions '/etc/shadow' '640' 'root' 'shadow') + if (Test-Path -Path '/etc/shadow-' -PathType Leaf) { + $resultDash = (checkFilePermissions '/etc/shadow-' '640' 'root' 'root') -or (checkFilePermissions '/etc/shadow-' '640' 'root' 'shadow') + $result = $result -and $resultDash + } + if ($result) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The file permissions are not set correctly." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-016" + Task = "Ensure /etc/group and /etc/group- have proper file permissions." + Test = { + $result = checkFilePermissions '/etc/group' '644' 'root' 'root' + if (Test-Path -Path '/etc/group-' -PathType Leaf) { + $result = $result -and (checkFilePermissions '/etc/group-' '644' 'root' 'root') + } + if ($result) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The file permissions are not set correctly." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-017" + Task = "Ensure /etc/gshadow and /etc/gshadow- have proper file permissions." + Test = { + $result = (checkFilePermissions '/etc/gshadow' '640' 'root' 'root') -or (checkFilePermissions '/etc/gshadow' '640' 'root' 'shadow') + if (Test-Path -Path '/etc/gshadow-' -PathType Leaf) { + $resultDash = (checkFilePermissions '/etc/gshadow-' '640' 'root' 'root') -or (checkFilePermissions '/etc/gshadow-' '640' 'root' 'shadow') + $result = $result -and $resultDash + } + if ($result) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The file permissions are not set correctly." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "DSBD-018" + Task = "Ensure /etc/ssh/sshd_config has proper file permissions." + Test = { + $result = checkFilePermissions '/etc/ssh/sshd_config' '600' 'root' 'root' + if ($result) { + return @{ + Message = "Compliant" + Status = "True" + } + } else { + return @{ + Message = "The file permissions are not set correctly." + Status = "False" + } + } + } +} diff --git a/ATAPAuditor/AuditGroups/SBD - Platform Security.ps1 b/ATAPAuditor/AuditGroups/SBD - Platform Security.ps1 new file mode 100644 index 0000000..b0defa6 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - Platform Security.ps1 @@ -0,0 +1,569 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +[AuditTest] @{ + Id = "SBD-101" + Task = "Ensure the system is booting in 'UEFI' mode." + Test = { + if (isWindows8OrNewer) { + $status = switch ($env:firmware_type) { + "UEFI" { + @{ + Message = "Compliant" + Status = "True" + } + } + "Legacy" { + @{ + Message = "System is booting using 'Legacy' mode." + Status = "False" + } + } + Default { + @{ + Message = "Unknown boot mode" + Status = "False" + } + } + } + return $status + } + else { + if ((bcdedit | findstr -i path | findstr -i winload.efi).Count -ge 1) { + return @{ + Message = "Compliant" + Status = "True" + } + } + elseif (((bcdedit | findstr -i path | findstr -i winload.exe).Count -ge 1)) { + return @{ + Message = "System is booting using 'Legacy' mode." + Status = "False" + } + } + else { + return @{ + Message = "Unknown boot mode" + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-102" + Task = "Virtualization Based Security: Ensure the system is using SecureBoot." + Test = { + if (isWindows8OrNewer) { + try { + $status = switch ($env:firmware_type) { + "UEFI" { + $obj = Confirm-SecureBootUEFI + } + "Legacy" { + return @{ + Message = "System is booting using 'Legacy' mode. SecureBoot not supported." + Status = "False" + } + } + Default { + return @{ + Message = "Unknown boot mode" + Status = "False" + } + } + } + } + catch [UnauthorizedAccessException] { + return @{ + Message = "Permission Denied" + Status = "Error" + } + } + $status = switch ($obj) { + $true { + @{ + Message = "Compliant" + Status = "True" + } + } + $false { + @{ + Message = "SecureBoot is supported but disabled." + Status = "False" + } + } + Default { + @{ + Message = "SecureBoot is not supported or system is in non-UEFI mode." + Status = "False" + } + } + } + return $status + } + else { + return @{ + Message = "System does not support this feature (Windows 8 or newer required)." + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "SBD-103" + Task = "Ensure the TPM Chip is 'present'." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (isWindows8OrNewer) { + $obj = (Get-Tpm).TpmPresent + if ($obj -isnot [Boolean]) { + return @{ + Message = "Cannot get 'present' status of TPM." + Status = "Error" + } + } + $status = switch ($obj) { + $true { + @{ + Message = "Compliant" + Status = "True" + } + } + $false { + @{ + Message = "The TPM Chip is not 'present'." + Status = "False" + } + } + } + return $status + } + else { + # Get any property to see if a TPM is present + if (win7NoTPMChipDetected) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } else { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-104" + Task = "Ensure the TPM Chip is 'ready'." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (isWindows8OrNewer) { + $obj = (Get-Tpm).TpmReady + if ($obj -isnot [Boolean]) { + return @{ + Message = "Cannot get 'ready' status of TPM." + Status = "Error" + } + } + $status = switch ($obj) { + $true { + @{ + Message = "Compliant" + Status = "True" + } + } + $false { + @{ + Message = "The TPM Chip is not 'ready'." + Status = "False" + } + } + } + return $status + } + else { + if (win7NoTPMChipDetected) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } else { + return @{ + Message = "System does not expose a 'ready' status" + Status = "None" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-105" + Task = "Ensure the TPM Chip is 'enabled'." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (isWindows8OrNewer) { + + $state = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm + if ($state.IsEnabled_InitialValue -eq $true) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "The TPM Chip is not 'enabled'." + Status = "False" + } + } + else { + if (win7NoTPMChipDetected) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (Get-CimInstance -ClassName Win32_Tpm -Namespace root\cimv2\security\microsofttpm | Select-Object -ExpandProperty IsEnabled_InitialValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "The TPM Chip is not 'enabled'." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-106" + Task = "Ensure the TPM Chip is 'activated'." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (isWindows8OrNewer) { + $state = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm + if ($state.IsActivated_InitialValue -eq $true) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "The TPM Chip is not 'enabled'." + Status = "False" + } + } + else { + if (win7NoTPMChipDetected) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (Get-CimInstance -ClassName Win32_Tpm -Namespace root\cimv2\security\microsofttpm | Select-Object -ExpandProperty IsActivated_InitialValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "The TPM Chip is not 'activated'." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-107" + Task = "Ensure the TPM Chip is 'owned'." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (isWindows8OrNewer) { + $state = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm + if ($state.IsOwned_InitialValue -eq $true) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "The TPM Chip is not 'enabled'." + Status = "False" + } + } + else { + if (win7NoTPMChipDetected) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + if (Get-CimInstance -ClassName Win32_Tpm -Namespace root\cimv2\security\microsofttpm | Select-Object -ExpandProperty IsOwned_InitialValue) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "The TPM Chip is not 'owned'." + Status = "False" + } + } + + } + } +} +[AuditTest] @{ + Id = "SBD-108" + Task = "Ensure the TPM Chip is implementing specification version 2.0 or higher." + Test = { + $hasTpm = hasTPM + if (($null -eq $hasTpm) -or ($false -eq $hasTpm)) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + # get array of implemented spec versions + $obj = (Get-CimInstance -Class Win32_Tpm -Namespace root\CIMV2\Security\MicrosoftTpm -ErrorAction SilentlyContinue | Select-Object -ExpandProperty SpecVersion) + if ($obj -eq $null) { + return @{ + Message = "No TPM Chip detected." + Status = "False" + } + } + # get main spec version (first element) + $obj = $obj.split(', ')[0] + + if ($obj -ge 2.0) { + return @{ + Message = "Compliant" + Status = "True" + } + } + elseif ($obj -gt 0) { + return @{ + Message = "Specification version lower than 2.0 found." + Status = "Warning" + } + } else { + return @{ + Message = "No implemented specification version found." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "SBD-109" + Task = "Virtualization Based Security: Ensure Virtualization Based Security is enabled and running." + Test = { + $isWindows10OrNewer = isWindows10OrNewer + if($isWindows10OrNewer -eq $false){ + return @{ + Message = "System does not support this feature (Windows 10 or newer required)." + Status = "None" + } + } + $obj = (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).VirtualizationBasedSecurityStatus + $status = switch ($obj) { + {$PSItem -eq 2} { + return @{ + Message = "Compliant" + Status = "True" + } + } + {$PSItem -eq 1} { + return @{ + Message = "VBS is activated but not running." + Status = "False" + } + } + {$PSItem -eq 0} { + return @{ + Message = "VBS is not activated." + Status = "False" + } + } + default { + return @{ + Message = "Cannot get the VBS status." + Status = "Error" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "SBD-110" + Task = "Virtualization Based Security: Ensure Hypervisor-protected Code Integrity (HVCI) is running." + Test = { + $isWindows10OrNewer = isWindows10OrNewer + if($isWindows10OrNewer -eq $false){ + return @{ + Message = "System does not support this feature (Windows 10 or newer required)." + Status = "None" + } + } + if ((Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning -contains 2) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "HVCI is not running." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "SBD-111" + Task = "Virtualization Based Security: Ensure Credential Guard is running." + Test = { + $value = isWindows10OrNewer + if($value -eq $false){ + return @{ + Message = "System does not support this feature (Windows 10 or newer required)." + Status = "None" + } + } + $systemSKU = (Get-CimInstance Win32_OperatingSystem).Caption + $supportedSKUs = @("Windows Enterprise", "Windows Education", "Windows Server") + + $system = $systemSKU -replace "\d\s*", "" + $system = $system -replace "Microsoft ", "" + if($supportedSKUs.Contains($system)){ + if ((Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning -contains 1) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "Credential Guard is not running." + Status = "False" + } + } + } + else{ + if ((Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesConfigured -contains 1) { + return @{ + Message = "Credential Guard is configured but not running, due to incompatibility with $($systemSKU)
See Microsoft documentation for further information: Here" + Status = "False" + } + } + else { + return @{ + Message = "Credential Guard is not configured." + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-112" + Task = "Virtualization Based Security: Ensure Security Services are running." + Test = { + $value = isWindows10OrNewer + if($value -eq $false){ + return @{ + Message = "System does not support this feature (Windows 10 or newer required)." + Status = "None" + } + } + $serviceRunningIDs = (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning + if ($serviceRunningIDs -contains 0) { + return @{ + Message = "No Device Guard security services are running." + Status = "False" + } + } + if ($serviceRunningIDs -contains 1) { + $message += "Credential Guard" + } + if ($serviceRunningIDs -contains 2) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "Memory Integrity (HVCI)" + } + if ($serviceRunningIDs -contains 3) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "System Guard Secure Launch" + } + if ($serviceRunningIDs -contains 4) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "SMM Firmware Measurement" + } + if ($serviceRunningIDs -contains 5) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "Kernel-mode Hardware-enforced Stack Protection" + } + if ($serviceRunningIDs -contains 6) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode" + } + if ($serviceRunningIDs -contains 7) { + if (![string]::IsNullOrEmpty($message)) { + $message += ", " + } + $message += "Hypervisor-Enforced Paging Translation" + } + return @{ + Message = "$message are running on Device Guard as services." + Status = "True" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/SBD - PowerShell Security.ps1 b/ATAPAuditor/AuditGroups/SBD - PowerShell Security.ps1 new file mode 100644 index 0000000..6aebf35 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - PowerShell Security.ps1 @@ -0,0 +1,204 @@ +[AuditTest] @{ + Id = "SBD-301" + Task = "Ensure PowerShell Version is set to version 5 or higher." + Test = { + if ($PSVersionTable.PSVersion.Major -ge 5) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell version is lower than 5. Current Version: $($PSVersionTable.PSVersion)" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-302" + Task = "Ensure PowerShell Version 2 is uninstalled." + Test = { + $ps2Found = $false + $messages = "The following PS2-related features are enabled:" + + $PSV2State = (Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2).State + if ($PSV2State -eq "Enabled") { + $messages += "
Windows PowerShell 2.0 Engine" + $ps2Found = $true + } + + $os = Get-CimInstance Win32_OperatingSystem + if ($os.ProductType -eq 1) { + $PSRootState = (Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root).State + if ($PSRootState -eq "Enabled") { + $messages += "
Windows PowerShell 2.0" + $ps2Found = $true + } + } + + if ($ps2Found -eq $true) { + return @{ + Message = $messages + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "SBD-303" + Task = "Ensure PowerShell is set to configured to use Constrained Language." + Test = { + $languageMode = $ExecutionContext.SessionState.LanguageMode + if($languageMode -eq "ConstrainedLanguage"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Language Mode is not set to 'Constrained Language'. Current configuration: $($languageMode)" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-304" + Task = "Ensure Execution policy is set to AllSigned / RemoteSigned." + Test = { + $execPolicy = Get-ExecutionPolicy + if($execPolicy -eq "AllSigned" -or $execPolicy -eq "RemoteSigned"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Execution Policy is not set to AllSigned / Remote Signed. Current configuration: $($execPolicy)" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-305" + Task = "Ensure PowerShell Commandline Audting is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit' -ErrorAction SilentlyContinue).ProcessCreationIncludeCmdLine_Enabled + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell Commandline Auditing is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-306" + Task = "Ensure PowerShell Module Logging is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -ErrorAction SilentlyContinue).EnableModuleLogging + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell Module Logging is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-307" + Task = "Ensure PowerShell ScriptBlockLogging is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -ErrorAction SilentlyContinue).EnableScriptBlockLogging + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell ScriptBlockLogging is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-308" + Task = "Ensure PowerShell ScriptBlockInvocationLogging is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -ErrorAction SilentlyContinue).EnableScriptBlockInvocationLogging + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell ScriptBlockInvocationLogging is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-309" + Task = "Ensure PowerShell Transcripting is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -ErrorAction SilentlyContinue).EnableTranscripting + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell Transcripting is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-310" + Task = "Ensure PowerShell InvocationHeader is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription' -ErrorAction SilentlyContinue).EnableInvocationHeader + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell InvocationHeader is not set to 'Enabled'." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-311" + Task = "Ensure PowerShell ProtectedEventLogging is set to 'Enabled'." + Test = { + $value = (Get-ItemProperty -path 'HKLM:\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging' -ErrorAction SilentlyContinue).EnableProtectedEventLogging + if($value -eq 1){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "PowerShell ProtectedEventLogging is not set to 'Enabled'." + Status = "False" + } + } +} diff --git a/ATAPAuditor/AuditGroups/SBD - Windows Base Security.ps1 b/ATAPAuditor/AuditGroups/SBD - Windows Base Security.ps1 new file mode 100644 index 0000000..1a8f0e6 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SBD - Windows Base Security.ps1 @@ -0,0 +1,622 @@ +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" + +[AuditTest] @{ + Id = "SBD-201" + Task = "Get License status." + Test = { + $lcStatus = Get-LicenseStatus $SkipLicenseCheck + if ($lcStatus -eq "Licensed") { + return @{ + Message = "Compliant" + Status = "True" + } + } + if ($lcStatus -eq "License check has been skipped.") { + return @{ + Message = $lcStatus + Status = "None" + } + } + return @{ + Message = "System not licensed." + Status = "False" + } + } +} +[AuditTest] @{ + Id = "SBD-202" + Task = "Get amount of active local users on system. (0 - 2: True; 3 - 5: Warning; 6 or higher: False)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Standalone Workstation", "Member Workstation", "Standalone Server", "Member Server" } + ) + Test = { + $users = Get-LocalUser; + $amountOfActiveUser = 0; + foreach ($user in $users) { + if ($user.Enabled -eq $True) { + $amountOfActiveUser ++; + } + } + $status = switch ((Get-LocalUser).Count) { + { ($amountOfActiveUser -ge 0) -and ($amountOfActiveUser -le 2) } { + # 0, 1, 2 + @{ + Message = "Compliant" + Status = "True" + } + } + { ($amountOfActiveUser -gt 2) -and ($amountOfActiveUser -le 5) } { + # 3, 4, 5 + @{ + Message = "System has $($amountOfActiveUser) local users." + Status = "Warning" + } + } + { $amountOfActiveUser -gt 5 } { + # 6, ... + @{ + Message = "System has 6 or more local users. (Currently $($amountOfActiveUser) users.)" + Status = "False" + } + } + Default { + @{ + Message = "Cannot determine the count of local users" + Status = "Error" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "SBD-203" + Task = "Get amount of users and groups in administrators group on system. (0 - 2: True; 3 - 5: Warning; 6 or higher: False)" + Constraints = @( + @{ "Property" = "DomainRole"; "Values" = "Standalone Workstation", "Member Workstation", "Standalone Server", "Member Server" } + ) + Test = { + try { + #List all groups + function Get-ADAdminCount($groupname) { + try { + $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() + $root = $domain.GetDirectoryEntry() + $searcher = New-Object System.DirectoryServices.DirectorySearcher($root) + $searcher.Filter = "(&(objectCategory=group)(cn=$groupName))" + $group = $searcher.FindOne() + $groupDN = $group.Properties["distinguishedname"][0] + $searcher.Filter = "(&(objectCategory=user)(memberOf=$groupDN))" + $members = $searcher.FindAll() + return ($members | ForEach-Object { $_.Properties["distinguishedname"] }).Count + } + catch { + return 1 + } + } + + $allgroups = Get-LocalGroup -SID "S-1-5-32-544" | Get-LocalGroupMember + [int]$ADCount = 0 + [int]$localCount = 0 + foreach ($entry in $allgroups) { + if ($entry.PrincipalSource -eq "ActiveDirectory") { + $group = $entry.Name -split '\\' | Select-Object -Last 1 + $ADCount += Get-ADAdminCount $group + continue; + } + # only applies to Local Groups + $group = $entry.Name -split '\\' | Select-Object -Last 1 + try { + $localCount += (Get-LocalGroupMember $group -ErrorAction Stop).Count + } + catch [Microsoft.PowerShell.Commands.NotFoundException] { + $localCount++; + } + } + [int]$amountOfUserAndGroups = $ADCount + $localCount + $status = switch ($amountOfUserAndGroups) { + { ($amountOfUserAndGroups -ge 0) -and ($amountOfUserAndGroups -le 2) } { + # 0, 1, 2 + @{ + Message = "Total amount of users: $amountOfUserAndGroups
Amount of local users: $localCount
Amount of domain users: $ADCount
" + Status = "True" + } + } + { ($amountOfUserAndGroups -gt 2) -and ($amountOfUserAndGroups -le 5) } { + # 3, 4, 5 + @{ + Message = "Total amount of users: $amountOfUserAndGroups
Amount of local users: $localCount
Amount of domain users: $ADCount
" + Status = "Warning" + } + } + { $amountOfUserAndGroups -gt 5 } { + # 6, ... + @{ + Message = "Total amount of users: $amountOfUserAndGroups
Amount of local users: $localCount
Amount of domain users: $ADCount
" + Status = "False" + } + } + Default { + @{ + Message = "Cannot determine the count of admin users. Please check manually." + Status = "Error" + } + } + } + return $status + } + catch { + @{ + Message = "Cannot determine the count of admin users. Please check manually." + Status = "Error" + } + } + return $status + } +} +[AuditTest] @{ + Id = "SBD-204" + Task = "Ensure the status of the Bitlocker service is 'Running'." + Test = { + if (isWindows8OrNewer) { + if ((Get-WindowsOptionalFeature -Online -FeatureName Bitlocker).State -eq 'Disabled') { + return @{ + Message = "Bitlocker feature is not installed." + Status = "False" + } + } + } + $status = switch ((Get-Service BDESVC -ErrorAction SilentlyContinue).Status) { + "Running" { + @{ + Message = "Compliant" + Status = "True" + } + } + Default { + @{ + Message = "Bitlocker service is not 'Running'." + Status = "False" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "SBD-205" + Task = "Ensure that Bitlocker is activated on all volumes." + Test = { + try { + if (isWindows8OrNewer) { + if ((Get-WindowsOptionalFeature -Online -FeatureName Bitlocker).State -eq 'Disabled') { + return @{ + Message = "Bitlocker feature is not installed." + Status = "False" + } + } + $volumes = (Get-Bitlockervolume -ErrorAction Stop).Count + $volumes_fullenc = (Get-Bitlockervolume | Where-Object { $_.VolumeStatus -eq "FullyEncrypted" }).Count + } + else { + $volumes = (Get-CimInstance -Class Win32_EncryptableVolume -namespace Root\CIMV2\Security\MicrosoftVolumeEncryption | Measure-Object).Count + $volumes_fullenc = (Get-CimInstance -Class Win32_EncryptableVolume -namespace Root\CIMV2\Security\MicrosoftVolumeEncryption | Where-Object { $_.ProtectionStatus -eq 1 } | Measure-Object).Count + } + } + catch [System.Runtime.InteropServices.COMException] { + return @{ + Message = "Bitlocker status is unknown." + Status = "Error" + } + } + if ($volumes -lt 1) { + return @{ + Message = "Bitlocker status is unknown." + Status = "Error" + } + } + $enc_ratio = $volumes_fullenc / $volumes + $status = switch ($enc_ratio) { + { $enc_ratio -ge 1 } { + @{ + Message = "Compliant" + Status = "True" + } + } + { $enc_ratio -lt 1 } { + @{ + Message = "Bitlocker is not activated on all volumes." + Status = "False" + } + } + Default { + @{ + Message = "Bitlocker status is unknown." + Status = "Error" + } + } + } + return $status + } +} +[AuditTest] @{ + Id = "SBD-206" + Task = "Ensure the status of the Windows Defender service is 'Running'." + Test = { + try { + $status = switch ((Get-Service WinDefend -ErrorAction Stop).Status) { + "Running" { + @{ + Message = "Compliant" + Status = "True" + } + } + default { + @{ + Message = "Service is not 'Running'." + Status = "False" + } + } + } + return $status + } + catch [Microsoft.PowerShell.Commands.ServiceCommandException] { + return @{ + Message = "Current version is not supported." + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "SBD-207" + Task = "Ensure Windows Defender Application Guard is enabled." + Test = { + $isWindows10OrNewer = isWindows10OrNewer + if ($isWindows10OrNewer -eq $false) { + return @{ + Message = "System does not support this feature (Windows 10 or newer required)." + Status = "None" + } + } + $state = (Get-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard).State + if ($state -eq 'Enabled') { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "Windows Defender Application Guard is not enabled." + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "SBD-208" + Task = "Ensure the Windows Firewall is enabled on all profiles." + Test = { + if (isWindows8OrNewer) { + if ((Get-NetFirewallProfile | Where-Object { $_.Enabled -eq 'False' } | Measure-Object).Count -gt 0) { + return @{ + Message = "Firewall is not enabled on all profiles" + Status = "False" + } + } + else { + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else { + $fw = New-Object -ComObject hnetcfg.fwpolicy2 + $domain = $fw.FireWallEnabled(1) + $private = $fw.FireWallEnabled(2) + $public = $fw.FireWallEnabled(4) + if ($domain -and $private -and $public) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + return @{ + Message = "Firewall is not enabled on all profiles" + Status = "False" + } + } + } + } +} +[AuditTest] @{ + Id = "SBD-209" + Task = "Check if the last successful search for updates was in the past 24 hours." + Test = { + try { + $startdate = (New-Object -com "Microsoft.Update.AutoUpdate").Results.LastSearchSuccessDate + if ($null -eq $startdate) { + return @{ + Message = "There was no search found." + Status = "False" + } + } + $tdiff = New-TimeSpan -ErrorAction Stop -Start $startdate -End (Get-Date) + $status = switch ($tdiff.Hours) { + { ($PSItem -ge 0) -and ($PSItem -le 24) } { + @{ + Message = "Compliant" + Status = "True" + } + } + { ($PSItem -gt 24) -and ($PSItem -le 24 * 5) } { + @{ + Message = "Last search for updates was within 5 days." + Status = "Warning" + } + } + Default { + @{ + Message = "Last search for updates was more than 5 days ago." + Status = "False" + } + } + } + return $status + } + catch { + return @{ + Message = "Not supported on this system." + Status = "None" + } + } + } +} +[AuditTest] @{ + Id = "SBD-210" + Task = "Check if the last successful installation of updates was in the past 5 days." # Windows defender definitions do count as updates + Test = { + try { + $startdateObjects = get-wmiobject -class win32_quickfixengineering | Sort-Object -Property InstalledOn -Descending -ErrorAction Stop + $startdate = $startdateObjects[0].InstalledOn + if ($null -eq $startdate) { + $startdate = (New-Object -com "Microsoft.Update.AutoUpdate").Results.LastInstallationSuccessDate + } + if ($null -eq $startdate) { + return @{ + Message = "There was no date found." + Status = "False" + } + } + $tdiff = New-TimeSpan -Start $startdate -End (Get-Date) + if ($tdiff.Days -ge 5) { + return @{ + Message = "Compliant" + Status = "True" + } + } + else { + $status = switch ($tdiff.Hours) { + { ($PSItem -ge 0) -and ($PSItem -le 24 * 5) } { + return @{ + Message = "Compliant" + Status = "True" + } + } + { ($PSItem -gt 24 * 5) -and ($PSItem -le 24 * 31) } { + return @{ + Message = "Last installation of updates was within the last month." + Status = "Warning" + } + } + Default { + return @{ + Message = "Last installation of updates was more than a month ago." + Status = "False" + } + } + } + } + return $status + } + catch [System.Management.Automation.GetValueInvocationException] { + return @{ + Message = "Your device needs to restart to install updates" + Status = "None" + } + } + catch { + return @{ + Message = "Not supported on this system." + Status = "None" + } + } + } +} +### SBD - 211 Placeholder +### SBD - 212 Placeholder +### SBD - 213 Placeholder +[AuditTest] @{ + Id = "SBD-214" + Task = "Ensure Attack Surface Reduction (ASR) rules are enabled." + Test = { + if (isWindows10OrNewer) { + $ruleids = (Get-MpPreference).AttackSurfaceReductionRules_Ids + $ruleactions = (Get-MpPreference).AttackSurfaceReductionRules_Actions + $RuleTable = for ($i = 0; $i -lt $ruleids.Count; $i++) { + [PSCustomObject]@{ + RuleId = $ruleids[$i] + RuleAction = $ruleactions[$i] + } + } + $countEnabled = ($RuleTable | Where-Object { $_.RuleAction -eq 1 } | Measure-Object).Count + + $status = switch ($countEnabled) { + { $PSItem -ge 12 } { + @{ + Message = "Compliant ($($countEnabled) rules enabled). For more information on ASR rules, check corresponding benchmarks." + Status = "True" + } + } + { ($PSItem -ge 1) -and ($PSItem -lt 12) } { + @{ + Message = "$($countEnabled) ASR rules are activated. For more information on ASR rules, check corresponding benchmarks." + Status = "Warning" + } + } + Default { + @{ + Message = "ASR rules are not enabled." + Status = "False" + } + } + } + return $status + } + else { + $windefrunning = CheckWindefRunning + if ((-not $windefrunning)) { + return @{ + Message = "This rule requires Windows Defender Antivirus to be enabled." + Status = "None" + } + } + $countEnabled = 0 + $Rule1 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" + Value = "ExploitGuard_ASR_Rules" + }; + $bool = $($Rule1.Path1), $($Rule1.Path2) | Test-MultiplePaths -Key $($Rule1.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule2 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "26190899-1602-49e8-8b27-eb1d0a1ce869" + }; + $bool = $($Rule2.Path1), $($Rule2.Path2) | Test-MultiplePaths -Key $($Rule2.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule3 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "3b576869-a4ec-4529-8536-b80a7769e899" + }; + $bool = $($Rule3.Path1), $($Rule3.Path2) | Test-MultiplePaths -Key $($Rule3.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule4 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" + }; + $bool = $($Rule4.Path1), $($Rule4.Path2) | Test-MultiplePaths -Key $($Rule4.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule5 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" + }; + $bool = $($Rule5.Path1), $($Rule5.Path2) | Test-MultiplePaths -Key $($Rule5.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule6 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" + }; + $bool = $($Rule6.Path1), $($Rule6.Path2) | Test-MultiplePaths -Key $($Rule6.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule7 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" + }; + $bool = $($Rule7.Path1), $($Rule7.Path2) | Test-MultiplePaths -Key $($Rule7.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule8 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" + }; + $bool = $($Rule8.Path1), $($Rule8.Path2) | Test-MultiplePaths -Key $($Rule8.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule9 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" + }; + $bool = $($Rule9.Path1), $($Rule9.Path2) | Test-MultiplePaths -Key $($Rule9.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + $Rule10 = @{ + Path1 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" + Value = "56a863a9-875e-4185-98a7-b882c64b5ce5" + }; + $bool = $($Rule10.Path1), $($Rule10.Path2) | Test-MultiplePaths -Key $($Rule10.Value) -ExpectedValue 1 + if ($bool.Status -eq "True") { + $countEnabled++; + } + + $status = switch ($countEnabled) { + { $PSItem -ge 10 } { + @{ + Message = "Compliant ($($countEnabled) rules enabled). For more information on ASR rules, check corresponding benchmarks." + Status = "True" + } + } + { ($PSItem -ge 1) -and ($PSItem -lt 10) } { + @{ + Message = "$($countEnabled) ASR rules are activated. For more information on ASR rules, check corresponding benchmarks." + Status = "Warning" + } + } + Default { + @{ + Message = "ASR rules are not enabled." + Status = "False" + } + } + } + + return $status + } + } +} +[AuditTest] @{ + Id = "SBD-215" + Task = "Ensure system is on 64-bit version" + Test = { + $is64bit = [Environment]::Is64BitOperatingSystem + if ($is64bit -eq $True) { + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "System not 64bit." + Status = "False" + } + } +} diff --git a/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 new file mode 100644 index 0000000..27929d7 --- /dev/null +++ b/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1 @@ -0,0 +1,3541 @@ +$parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "/Helpers/ShellScripts/SLE_15/" +$rcTrue = "True" +$rcCompliant = "Compliant" +$rcFalse = "False" +$rcNone = "None" +$rcNonCompliant = "Non-Compliant" +$rcNonCompliantManualReviewRequired = "Manual Review Required" +$rcCompliantIPv6isDisabled = "IPv6 is disabled" +$rcFirewallStatus1 = "Using firewalld with iptables" +$rcFirewallStatus2 = "Using nftables" +$rcFirewallStatus3 = "Using iptables" + +$retCompliant = @{ + Message = $rcCompliant + Status = $rcTrue +} +$retNonCompliant = @{ + Message = $rcNonCompliant + Status = $rcFalse +} +$retCompliantIPv6Disabled = @{ + Message = $rcCompliantIPv6isDisabled + Status = $rcTrue +} +$retNonCompliantManualReviewRequired = @{ + Message = $rcNonCompliantManualReviewRequired + Status = $rcNone +} +$retUsingFW1 = @{ + Message = $rcFirewallStatus1 + Status = $rcNone +} +$retUsingFW2 = @{ + Message = $rcFirewallStatus2 + Status = $rcNone +} +$retUsingFW3 = @{ + Message = $rcFirewallStatus3 + Status = $rcNone +} + + +$IPv6Status_script = @' +#!/bin/bash +[ -n "$passing" ] && passing="" +[ -z "$(grep "^\s*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true" +grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/*.conf && grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && passing="true" +if [ "$passing" = true ] ; then + echo "IPv6 is disabled on the system" +else + echo "IPv6 is enabled on the system" +fi +'@ +$IPv6Status = bash -c $IPv6Status_script +if ($IPv6Status -match "enabled") { + $IPv6Status = "enabled" +} else { + $IPv6Status = "disabled" +} + + +# Firewall evaluation +function GetFirewallStatus { + # 0 = init. value, undefined + # 1 = using firewalld with iptabes as backend + # 2 = using nftables + # 3 = using iptables + $FirewallStatus = 0 + + # Testing for firewalld with iptables as backend + $test1 = rpm -q firewalld iptables + $test2 = rpm -q nftables + $test3 = systemctl status nftables | grep "active (running)" + $test4 = systemctl is-enabled nftables + $test5 = systemctl is-enabled firewalld + $test6 = firewall-cmd --state + if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and (!($test2 -match "nftables-") -or !($test3 -match "active (running)")) -and !($test4 -match "enabled") -and $test5 -match "enabled" -and $test6 -match "running") { + return 1 + } + + # Testing for nftables + $test1 = rpm -q nftables + $test2 = rpm -q firewalld + $test3 = systemctl status firewalld | grep "active (running)" + $test4 = systemctl is-enabled firewalld + $test5 = systemctl is-enabled nftables + if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and !($test4 -match "enabled") -and $test5 -match "enabled") { + return 2 + } + + # Testing for iptables + $test1 = rpm -q iptables + $test2 = rpm -q nftables + $test3 = rpm -q firewalld + $test4 = systemctl status firewalld | grep "active (running)" + $test5 = systemctl is-enabled firewalld + if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and !($test5 -match "enabled")) { + return 3 + } + + return $FirewallStatus +} + +$FirewallStatus = GetFirewallStatus +### Chapter 1 - Initial Setup + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure mounting of squashfs filesystems is disabled" + Test = { + $result1 = modprobe -n -v squashfs | grep -E '(suqashfs|install)' + $result2 = lsmod | grep squashfs + if ($result1 -match "install /bin/true" -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure mounting of udf filesystems is disabled" + Test = { + $result1 = modprobe -n -v udf | grep -E '(udf|install)' + $result2 = lsmod | grep udf + if ($result1 -match "install /bin/true" -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure mounting of FAT filesystems is disabled" + Test = { + $result1 = modprobe -n -v fat | grep -E '(fat|install)' + $result2 = lsmod | grep udf + $result3 = modprobe -n -v vfat | grep -E '(vfat|install)' + $result4 = lsmod | grep udf + $result5 = modprobe -n -v msdos | grep -E '(msdos|install)' + $result6 = lsmod | grep udf + if ($result1 -match "install /bin/true" -and $result2 -eq $null -and $result3 -match "install /bin/true" -and $result4 -eq $null -and $result5 -match "install /bin/true" -and $result6 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2" + Task = "Ensure /tmp is configured" + Test = { + $result1 = mount | grep -E '\s/tmp\s' + if ($result1 -match "/tmp") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.3" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result1 = mount | grep -E '\s/tmp\s' | grep -v noexec + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.4" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $result1 = mount | grep -E '\s/tmp\s' | grep -v nodev + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.5" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $result1 = mount | grep -E '\s/tmp\s' | grep -v nosuid + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.6" + Task = "Ensure /dev/shm is configured" + Test = { + $result1 = mount | grep -E '\s/dev/shm\s' + $result2 = grep -E '\s/dev/shm\s' /etc/fstab + if ($result1 -ne $null -and $result2 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.7" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $result1 = mount | grep -E '\s/dev/shm\s' | grep -v noexec + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.8" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $result1 = mount | grep -E '\s/dev/shm\s' | grep -v nodev + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.9" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $result1 = mount | grep -E '\s/dev/shm\s' | grep -v nosuid + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.10" + Task = "Ensure separate partition exists for /var" + Test = { + $result1 = mount | grep -E '\s/var\s' + if ($result1 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.11" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result1 = mount | grep /var/tmp + if ($result1 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.12" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $result1 = mount | grep -E '\s/var/tmp\s' | grep -v noexec + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.13" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $result1 = mount | grep -E '\s/var/tmp\s' | grep -v nodev + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.14" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $result1 = mount | grep -E '\s/var/tmp\s' | grep -v nosuid + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.15" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result1 = mount | grep -E '\s/var/log\s' + if ($result1 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.16" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result1 = mount | grep /var/log/audit + if ($result1 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.17" + Task = "Ensure separate partition exists for /home" + Test = { + $result1 = mount | grep /home + if ($result1 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.18" + Task = "Ensure nodev option set on /home partition" + Test = { + $result1 = mount | grep -E '\s/home\s' | grep -v nodev + if ($result1 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.19" + Task = "Ensure noexec option set on removable media partitions" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.1.20" + Task = "Ensure nodev option set on removable media partitions" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.1.21" + Task = "Ensure nosuid option set on removable media partitions" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.1.22" + Task = "Ensure sticky bit is set on all world-writable directories" + Test = { + $result_script = @' +#!/bin/bash +df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null +'@ + $result = bash -c $result_script + if ($result -ne $null) { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.23" + Task = "Disable Automounting" + Test = { + $result = systemctl is-enabled autofs + if ($result -match "enabled") { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "1.2.1" + Task = "Ensure GPG keys are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.2.2" + Task = "Ensure package manager repositories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "1.2.3" + Task = "Ensure gpgcheck is globally activated" + Test = { + $result = grep ^\s*gpgcheck /etc/zypp/zypp.conf + if ($result -match "gpgcheck=1") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.3.1" + Task = "Ensure sudo is installed" + Test = { + $result = rpm -q sudo + if ($result -match "sudo-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.3.2" + Task = "Ensure sudo commands use pty" + Test = { + $result = grep -Ei '^\s*Defaults\s+([^#]\S+,\s*)?use_pty\b' /etc/sudoers /etc/sudoers.d/* + if ($result -match "Defaults user_pty") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.3.3" + Task = "Ensure sudo log file exists" + Test = { + $result = grep -Ei '^\s*Defaults\s+([^#;]+,\s*)?logfile\s*=\s*(")?[^#;]+(")?' /etc/sudoers /etc/sudoers.d/* + if ($result -match "Defaults logfile=") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure aide is installed" + Test = { + $result = rpm -q aide + if ($result -match "aide-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure filesystem integrity is regularly checked" + Test = { + $result1 = crontab -u root -l | grep aide + $result2 = grep -r aide /etc/cron.* /etc/crontab + if ($result1 -ne $null -or $result2 -ne $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure bootloader password is set" + Test = { + $result1 = grep "^\s*set superusers" /boot/grub2/grub.cfg + $result2 = grep "^\s*password" /boot/grub2/grub.cfg + if ($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2 ") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure permissions on bootloader config are configured" + Test = { + $result = stat /boot/grub2/grub.cfg | grep "Uid: " + $result = $result | cut -d '(' -f 2 + $result = $result | cut -d '/' -f 1 + if($result -eq "0400" -or $result[1] -le 4){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure authentication required for single user mode" + Test = { + $result1 = grep /systemd-sulogin-shell /usr/lib/systemdm/system/rescue.service + $result2 = grep /systemd-sulogin-shell /usr/lib/systemdm/system/rescue.service + if($result1 -ne $null -and $result2 -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.1" + Task = "Ensure core dumps are restricted" + Test = { + $result1 = grep -E "^\s*\*\s+hard\s+core" /etc/security/limits.conf + $result2 = sysctl fs.suid_dumpable + $result3 = grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "hard core 0" -and $result2 -match "fs.suid_dumpable = 0" -and $result3 -match "fs.suid_dumpable = 0") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +# 1.6.2 implemented for journalctl only +[AuditTest] @{ + Id = "1.6.2" + Task = "Ensure XD/NX support is enabled" + Test = { + $result1 = journalctl | grep 'protection: active' + if($result1 -match "protection: active") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.3" + Task = "Ensure address space layout randomization (ASLR) is enabled" + Test = { + $result1 = sysctl kernel.randomize_va_space + $result2 = grep "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "kernel.randomize_va_space = 2" -and $result2 -match "kernel.randomize_va_space = 2") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.6.4" + Task = "Ensure prelink is disabled" + Test = { + $result1 = rpm -q prelink + if($result1 -match "package prelink is not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.1.1" + Task = "Ensure AppArmor is installed" + Test = { + $result1 = rpm -q apparmor-docs apparmor-parser apparmor-profiles apparmor-utils libapparmor1 + if($result1 -ne $null -or $result2 -ne $null) { + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.1.2" + Task = "Ensure AppArmor is enabled in the bootloader configuration" + Test = { + $result1 = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "apparmor=1" + $result2 = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "security=apparmor" + if($result1 -eq $null -and $result2 -eq $null) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.1.3" + Task = "Ensure all AppArmor Profiles are in enforce or complain mode" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + $profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1 + $result = expr $profileMode3 + $profileMode2 + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + if ($result -eq $profileMode1 -and $unconfinedProcesses -eq 0) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.7.1.4" + Task = "Ensure all AppArmor Profiles are enforcing" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if($profileMode1 -eq $profileMode2 -and $unconfinedProcesses -eq 0){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1.1" + Task = "Ensure message of the day is configured properly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd 2>/dev/null + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1.2" + Task = "Ensure local login warning is configured peoperly" + Test = { + $result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $script = $scriptPath + "CIS-SEL15-1.8.1.3.sh" + $result = bash $script + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1.4" + Task = "Ensure permissions on /etc/motd are configured" + Test = { + $result = stat -L /etc/motd | grep "0644" + if($result -eq $null -or $result -match "0644"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.8.1.5" + Task = "Ensure permissions on /etc/issue are configured" + Test = { + $result = stat -L /etc/issue | grep "0644" + if($result -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +if (Test-Path -Path '/etc/issue.net') { +[AuditTest] @{ + Id = "1.8.1.6" + Task = "Ensure permissions on /etc/issue.net are configured" + Test = { + $result = stat -L /etc/issue.net | grep "0644" + if($result -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} +} + +[AuditTest] @{ + Id = "1.9" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + $output = zypper list-updates + $output = $? + if($output -match "True"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.10" + Task = "Ensure GDM is removed or login is configured" + Test = { + $result = rpm -q gdm + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +### Chapter 2 - Services + +[AuditTest] @{ + Id = "2.1.1" + Task = "Ensure xinetd is not installed" + Test = { + $result = rpm -q xinetd + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.1.1" + Task = "Ensure time synchronization is in use" + Test = { + $result = rpm -q chrony + if($result -match "chrony-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.1.2" + Task = "Ensure systemd-timesyncd is configured" + Test = { + $result = systemctl is-enabled systemd-timesyncd.service + if($result -match "enabled"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.1.3" + Task = "Ensure chrony is configured" + Test = { + $result1 = grep -E "^(server|pool)" /etc/chrony.conf + $result2 = grep ^OPTIONS /etc/sysconfig/chronyd + if($result1 -match "server " -and $result2 -match "-u chrony") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure X11 Server components are not installed" + Test = { + $result = rpm -qa xorg-x11-server* + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure CUPS is not installed" + Test = { + $result = rpm -q cups + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure DHCP Server is not installed" + Test = { + $result = rpm -q dhcp + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure LDAP server is not installed" + Test = { + $result = rpm -q openldap2 + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.7" + Task = "Ensure nfs-utils is not installed or the nfs-server service is masked" + Test = { + $result1 = rpm -q nfs-utils + $result2 = rpm -q nfs-kernel-server + if($result1 -match "not installed" -and $result2 -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.8" + Task = "Ensure rpcbind is not installed or the rpcbind services are masked" + Test = { + $result = rpm -q rpcbind + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.9" + Task = "Ensure DNS Server is not installed" + Test = { + $result = rpm -q bind + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.10" + Task = "Ensure FTP Server is not installed" + Test = { + $result = rpm -q vsftpd + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.11" + Task = "Ensure HTTP Server is not installed" + Test = { + $result = rpm -q apache2 + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.12" + Task = "Ensure HTTP Server is not installed" + Test = { + $result = rpm -q dovecot + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.13" + Task = "Ensure Samba is not installed" + Test = { + $result = rpm -q samba + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.14" + Task = "Ensure HTTP Proxy Server is not installed" + Test = { + $result = rpm -q squid + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.15" + Task = "Ensure net-snmp is not installed" + Test = { + $result = rpm -q net-snmp + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.16" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $result = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|\[?::1\]?):25\s' + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.17" + Task = "Ensure rsync is not installed or the rsyncd service is masked" + Test = { + $result = rpm -q rsync + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.18" + Task = "Ensure NIS server is not installed" + Test = { + $result = rpm -q ypserv + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.2.19" + Task = "Ensure telnet-server is not installed" + Test = { + $result = rpm -q telnet-server + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.1" + Task = "Ensure NIS Client is not installed" + Test = { + $result = rpm -q ypbind + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.2" + Task = "Ensure rsh client is not installed" + Test = { + $result = rpm -q rsh + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.3" + Task = "Ensure talk client is not installed" + Test = { + $result = rpm -q talk + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.4" + Task = "Ensure telnet client is not installed" + Test = { + $result = rpm -q telnet + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.3.5" + Task = "Ensure LDAP client is not installed" + Test = { + $result = rpm -q openldap2-clients + if($result -match "not installed"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "2.4" + Task = "Ensure nonessential services are removed or masked" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +## Chapter 3 - Network Configuration + +# sysctl wird ignoriert +[AuditTest] @{ + Id = "3.1.1" + Task = "Disable IPv6" + Test = { + if ($IPv6Status -match "disable") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $result = ip link show up + if($result -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure IP forwarding is disabled" + Test = { + if ($IPv6Status -match "disable") { + $result1 = sysctl net.ipv4.ip_forward + $result2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + if($result1 -match "net.ipv4.ip_forward = 0" -and $result2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } else { + $result1 = sysctl net.ipv4.ip_forward + $result2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + $result3 = sysctl net.ipv6.conf.all.forwarding + $result4 = grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + if($result1 -match "net.ipv4.ip_forward = 0" -and $result2 -eq $null -and $result3 -match "net.ipv6.conf.all.forwarding = 0" -and $result4 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } + + } +} + +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure packet redirect sending is disabled" + Test = { + $result1 = sysctl net.ipv4.conf.all.send_redirects + $result2 = sysctl net.ipv4.conf.default.send_redirects + $result3 = grep "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.send_redirects = 0" -and $result2 -match "net.ipv4.conf.default.send_redirects = 0" -and $result3 -match "net.ipv4.conf.all.send_redirects = 0" -and $result4 -match "net.ipv4.conf.default.send_redirects= 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure source routed packets are not accepted" + Test = { + if ($IPv6Status -match "disable") { + $result1 = sysctl net.ipv4.conf.all.accept_source_route + $result2 = sysctl net.ipv4.conf.default.accept_source_route + $result3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $result2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $result3 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result4 -match "net.ipv4.conf.default.accept_source_route= 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } else { + $result1 = sysctl net.ipv4.conf.all.accept_source_route + $result2 = sysctl net.ipv4.conf.default.accept_source_route + $result3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $result5 = sysctl net.ipv6.conf.all.accept_source_route + $result6 = sysctl net.ipv6.conf.default.accept_source_route + $result7 = grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $result8 = grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $result2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $result3 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result4 -match "net.ipv4.conf.default.accept_source_route= 0" -and $result5 -match "net.ipv6.conf.all.accept_source_route = 0" -and $result6 -match "net.ipv6.conf.default.accept_source_route = 0" -and $result7 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result8 -match "net.ipv6.conf.default.accept_source_route= 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } + } +} + +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure ICMP redirects are not accepted" + Test = { + $result1 = sysctl net.ipv4.conf.all.accept_redirects + $result2 = sysctl net.ipv4.conf.default.accept_redirects + $result3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $result2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $result3 -match "net.ipv4.conf.all.accept_redirects= 0" -and $result4 -match "net.ipv4.conf.default.accept_redirects= 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure secure ICMP redirects are not accepted" + Test = { + $result1 = sysctl net.ipv4.conf.all.secure_redirects + $result2 = sysctl net.ipv4.conf.default.accept_redirects + $result3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $result2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $result3 -match "net.ipv4.conf.all.accept_redirects= 0" -and $result4 -match "net.ipv4.conf.default.accept_redirects= 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure suspicious packets are logged" + Test = { + $result1 = sysctl net.ipv4.conf.all.log_martians + $result2 = sysctl net.ipv4.conf.default.log_martians + $result3 = grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.log_martians = 1" -and $result2 -match "net.ipv4.conf.default.log_martians = 1" -and $result3 -match "net.ipv4.conf.all.log_martians = 1" -and $result4 -match "net.ipv4.conf.default.log_martians = 1"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure broadcast ICMP requests are ignored" + Test = { + $result1 = sysctl net.ipv4.icmp_echo_ignore_broadcasts + $result2 = grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1" -and $result2 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure bogus ICMP responses are ignored" + Test = { + $result1 = sysctl net.ipv4.icmp_ignore_bogus_error_responses + $result2 = grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1" -and $result2 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure Reverse Path Filtering is enabled" + Test = { + $result1 = sysctl net.ipv4.conf.all.rp_filter + $result2 = sysctl net.ipv4.conf.default.rp_filter + $result3 = grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.conf.all.rp_filter = 1" -and $result2 -match "net.ipv4.conf.default.rp_filter = 1" -and $result3 -match "net.ipv4.conf.all.rp_filter = 1" -and $result4 -match "net.ipv4.conf.default.rp_filter = 1"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure TCP SYN Cookies is enabled" + Test = { + $result1 = sysctl net.ipv4.tcp_syncookies + $result2 = grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv4.tcp_syncookies = 1" -and $result2 -match "net.ipv4.tcp_syncookies = 1"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure IPv6 router advertisements are not accepted" + Test = { + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } + $result1 = sysctl net.ipv6.conf.all.accept_ra + $result2 = sysctl net.ipv6.conf.default.accept_ra + $result3 = grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + $result4 = grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + if($result1 -match "net.ipv6.conf.all.accept_ra = 0" -and $result2 -match "net.ipv6.conf.default.accept_ra = 0" -and $result3 -match "net.ipv6.conf.all.accept_ra = 0" -and $result4 -match "net.ipv6.conf.default.accept_ra = 0"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.1" + Task = "Ensure TCP SYN Cookies is enabled" + Test = { + $result1 = modprobe -n -v dccp + $result2 = lsmod | grep dccp + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.4.2" + Task = "Ensure SCTP is disabled" + Test = { + $result1 = modprobe -n -v sctp + $result2 = lsmod | grep sctp + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +### Chapter 3.5.1.X firewalld +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 1) ){ +[AuditTest] @{ + Id = "3.5.1.1" + Task = "Ensure FirewallD is installed" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result = rpm -q firewalld iptables + if($result -match "firewalld-" -and $result -match "iptables-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.1.2" + Task = "Ensure nftables is not installed or stopped and masked" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = rpm -q nftables + $result21 = systemctl status nftables | grep "active (running)" + $result22 = systemctl is-enabled nftables + if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and !($result22 -match "enabled"))){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.1.3" + Task = "Ensure firewalld service is enabled and running" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = systemctl is-enabled firewalld + $result2 = firewall-cmd --state + if($result1 -match "enabled" -and $result2 -match "running"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.1.4" + Task = "Ensure default zone is set" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result = firewall-cmd --get-default-zone + if($result -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.1.5" + Task = "Ensure network interfaces are assigned to appropriate zone" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.1.6" + Task = "Ensure unnecessary services and ports are not accepted" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + return $retNonCompliantManualReviewRequired + } +} +} + +### Chapter 3.5.2.X nftables +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 2) ){ +[AuditTest] @{ + Id = "3.5.2.1" + Task = "Ensure nftables is installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result = rpm -q nftables + if($result -match "nftables-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.2" + Task = "Ensure firewalld is not installed or stopped and masked" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = rpm -q firewalld + $result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) " + $result22 = systemctl is-enabled firewalld + if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.3" + Task = "Ensure iptables are flushed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.2.4" + Task = "Ensure a table exists" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result = nft list tables + if($result -match "table inet filter") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.5" + Task = "Ensure base chain exist" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = nft list ruleset | grep 'hook input' + $result2 = nft list ruleset | grep 'hook forward' + $result3 = nft list ruleset | grep 'hook output' + if($result1 -match "type filter hook input priority 0;" -and $result2 -match "type filter hook forward priority 0;" -and $result3 -match "type filter hook output priority 0;") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.6" + Task = "Ensure loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $result2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if($result1 -match "iif ""lo"" accept" -and $result2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.7" + Task = "Ensure outbound and established connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.2.8" + Task = "Ensure default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result1 = nft list ruleset | grep 'hook input' + $result2 = nft list ruleset | grep 'hook forward' + $result3 = nft list ruleset | grep 'hook output' + if($result1 -match "type filter hook input priority 0; policy drop;" -and $result2 -match "type filter hook forward priority 0; policy drop;" -and $result3 -match "type filter hook output priority 0; policy drop;") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.9" + Task = "Ensure nftables service is enabled" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $result = systemctl is-enabled nftables + if($result -match "enabled") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.2.10" + Task = "Ensure nftables rules are permanent" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $retNonCompliantManualReviewRequired + } +} +} + +### Chapter 3.5.3.X iptables +if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 3) ){ +[AuditTest] @{ + Id = "3.5.3.1.1" + Task = "Ensure iptables package is installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $result = rpm -q iptables + if($result -match "iptables-") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.1.2" + Task = "Ensure nftables is not installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $result = rpm -q nftables + if($result -match "not installed") { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.1.3" + Task = "Ensure firewalld is not installed or stopped and masked" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $result1 = rpm -q firewalld + $result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) " + $result22 = systemctl is-enabled firewalld + if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.2.1" + Task = "Ensure default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $output = iptables -L + $test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $result11 = $? + $test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)" + $result12 = $? + $test21 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $result21 = $? + $test22 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)" + $result22 = $? + $test31 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $result31 = $? + $test32 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)" + $result32 = $? + if(($result11 -match "True" -or $result12 -match "True") -and ($result21 -match "True" -or $result22 -match "True") -and ($result31 -match "True" -or $result32 -match "True")){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.2.2" + Task = "Ensure iptables loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" + $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" + if($test1 -ne $null -and $test2 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "3.5.3.2.3" + Task = "Ensure outbound and established connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.3.2.4" + Task = "Ensure firewall rules exist for all open ports" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.3.3.1" + Task = "Ensure IPv6 default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } + $output = ip6tables -L + $test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $result11 = $? + $test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)" + $result12 = $? + $test21 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $result21 = $? + $test22 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)" + $result22 = $? + $test31 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $result31 = $? + $test32 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)" + $result32 = $? + if(($result11 -match "True" -or $result12 -match "True") -and ($result21 -match "True" -or $result22 -match "True") -and ($result31 -match "True" -or $result32 -match "True")){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.3.2" + Task = "Ensure IPv6 loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } + $output1 = ip6tables -L INPUT -v -n + $test1 = $output1 | grep "ACCEPT\s*all\s*lo\s**\s*::/0\s*::/0" + $test2 = $output1 | grep "DROP\s*all\s**\s**\s*::1\s*::/0" + $output2 = ip6tables -L OUTPUT -v -n + $test3 = $output2 | grep "ACCEPT\s*all\s*lo\s**\s*::/0\s*::/0" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "3.5.3.3.3" + Task = "Ensure IPv6 outbound and established connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "3.5.3.3.4" + Task = "Ensure IPv6 firewall rules exist for all open ports" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW2 + } + if ($IPv6Status -match "disabled") { + return $retCompliantIPv6Disabled + } + return $retNonCompliantManualReviewRequired + } +} +} + +## Chapter 4 Logging and Auditing + +[AuditTest] @{ + Id = "4.1.1.1" + Task = "Ensure auditd is installed" + Test = { + $test = rpm -q audit + if($test -match "audit-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.1.2" + Task = "Ensure auditd service is enabled and running" + Test = { + $test1 = systemctl is-enabled auditd + $test2 = systemctl status auditd | grep 'Active: active (running) ' + if($test1 -match "enabled" -and $test2 -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.1.3" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $test = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "audit=1" + if($test -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.1.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $test = grep max_log_file_action /etc/audit/auditd.conf + if($test -match "max_log_file_action = keep_logs"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep space_left_action /etc/audit/auditd.conf + $test2 = grep action_mail_acct /etc/audit/auditd.conf + $test3 = grep admin_space_left_action /etc/audit/auditd.conf + if($test1 -match "space_left_action = email" -and $test2 -match "action_mail_acct = root" -and $test3 -match "admin_space_left_action = halt"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.2.4" + Task = "Ensure system is disabled when audit logs are full" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.1.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep time-change /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep time-change + if($test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" -and + $test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" -and + $test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b64 -S clock_settime -k time-change" -and + $test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b32 -S clock_settime -k time-change" -and + $test1 -match "/etc/audit/rules.d/time_change.rules:-w /etc/localtime -p wa -k time-change" -and + $test2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" -and + $test2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" -and + $test2 -match "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" -and + $test2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" -and + $test2 -match "-w /etc/localtime -p wa -k time-change"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.4" + Task = "Ensure events that modify user/group information are collected" + Test = { + $test1 = grep identity /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep identity + if($test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/group -p wa -k identity" -and + $test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/passwd -p wa -k identity" -and + $test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/shadow -p wa -k identity" -and + $test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/security/opasswd -p wa -k identity" -and + $test2 -match "-w /etc/group -p wa -k identity" -and + $test2 -match "-w /etc/passwd -p wa -k identity" -and + $test2 -match "-w /etc/shadow -p wa -k identity" -and + $test2 -match "-w /etc/security/opasswd -p wa -k identity"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $test1 = grep system-locale /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep system-locale + if($test1 -match "/etc/audit/rules.d/system-locale.rules:-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" -and + $test1 -match "/etc/audit/rules.d/system-locale.rules:-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" -and + $test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/issue -p wa -k system-locale" -and + $test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/issue.net -p wa -k system-locale" -and + $test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/hosts -p wa -k system-locale" -and + $test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/sysconfig/network -p wa -k system-locale" -and + $test2 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale" -and + $test2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale" -and + $test2 -match "-w /etc/issue -p wa -k system-locale" -and + $test2 -match "-w /etc/issue.net -p wa -k system-locale" -and + $test2 -match "-w /etc/hosts -p wa -k system-locale" -and + $test2 -match "-w /etc/sysconfig/network -p wa -k system-locale"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.6" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $test1 = grep MAC-policy /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep MAC-policy + if($test1 -match "/etc/audit/rules.d/MAC_policy.rules:-w /etc/selinux/ -p wa -k MAC-policy" -and $test1 -match "/etc/audit/rules.d/MAC_policy.rules:-w /usr/share/selinux/ -p wa -k MAC-policy" -and $test2 -match "-w /etc/selinux/ -p wa -k MAC-policy" -and $test2 -match "-w /usr/share/selinux/ -p wa -k MAC-policy"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.7" + Task = "Ensure login and logout events are collected" + Test = { + $test1 = grep logins /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep logins + if($test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/faillog -p wa -k logins" -and + $test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/lastlog -p wa -k logins" -and + $test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/tallylog -p wa -k logins" -and + $test2 -match "-w /var/log/faillog -p wa -k logins" -and + $test2 -match "-w /var/log/lastlog -p wa -k logins" -and + $test2 -match "-w /var/log/tallylog -p wa -k logins"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.8" + Task = "Ensure session initiation information is collected" + Test = { + $test1 = grep -E '(session|logins)' /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep -E '(session|logins)' + if($test1 -match "/etc/audit/rules.d/session.rules:-w /var/run/utmp -p wa -k session" -and + $test1 -match "/etc/audit/rules.d/session.rules:-w /var/log/wtmp -p wa -k logins" -and + $test1 -match "/etc/audit/rules.d/session.rules:-w /var/log/btmp -p wa -k logins" -and + $test2 -match "-w /var/run/utmp -p wa -k session" -and + $test2 -match "-w /var/log/wtmp -p wa -k logins" -and + $test2 -match "-w /var/log/btmp -p wa -k logins"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $test1 = grep perm_mod /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep perm_mod + if($test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and + $test2 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $test2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $test2 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $test2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $test2 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and + $test2 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.10" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $test1 = grep access /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep access + if($test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" -and + $test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" -and + $test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and + $test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and + $test2 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and + $test2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" -and + $test2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" -and + $test2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.11" + Task = "Ensure use of privileged commands is collected" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.1.12" + Task = "Ensure successful file system mounts are collected" + Test = { + $test1 = grep mounts /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep mounts + if($test1 -match "/etc/audit/rules.d/mounts.rules:-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" -and + $test1 -match "/etc/audit/rules.d/mounts.rules:-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" -and + $test2 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" -and + $test2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.13" + Task = "Ensure file deletion events by users are collected" + Test = { + $test1 = grep delete /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep delete + if($test1 -match "/etc/audit/rules.d/deletion.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and + $test1 -match "/etc/audit/rules.d/deletion.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and + $test2 -match "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" -and + $test2 -match "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.14" + Task = "Ensure changes to system administration scope (sudoers) is collected" + Test = { + $test1 = grep scope /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep scope + if($test1 -match "/etc/audit/rules.d/scope.rules:-w /etc/sudoers -p wa -k scope" -and + $test1 -match "/etc/audit/rules.d/scope.rules:-w /etc/sudoers.d/ -p wa -k scope" -and + $test2 -match "-w /etc/sudoers -p wa -k scope" -and + $test2 -match "-w /etc/sudoers.d -p wa -k scope"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.15" + Task = "Ensure system administrator actions (sudolog) are collected" + Test = { + $test1 = grep -E "^\s*-w\s+$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//')\s+-p\s+wa\s+-k\s+actions" /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep actions + $test3 = echo "-w $(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//') -p wa -k actions" + if($test1 -match $test3 -and $test2 -match $test3){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.16" + Task = "Ensure kernel module loading and unloading is collected" + Test = { + $test1 = grep modules /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep modules + if($test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/insmod -p x -k modules" -and + $test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/rmmod -p x -k modules" -and + $test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/modprobe -p x -k modules" -and + $test1 -match "/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -and + $test2 -match "-w /sbin/insmod -p x -k modules" -and + $test2 -match "-w /sbin/rmmod -p x -k modules" -and + $test2 -match "-w /sbin/modprobe -p x -k modules" -and + $test2 -match "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.1.17" + Task = "Ensure the audit configuration is immutable" + Test = { + $test = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -1 + if($test -match "-e 2"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.1" + Task = "Ensure rsyslog is installed" + Test = { + $test = rpm -q rsyslog + if($test -match "rsyslog-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.2" + Task = "Ensure rsyslog Service is enabled and running" + Test = { + $test1 = systemctl is-enabled rsyslog + $test2 = systemctl status rsyslog | grep 'active (running) ' + if($test1 -match "enabled" -and $test2 -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.3" + Task = "Ensure rsyslog default file permissions configured" + Test = { + $test = grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if($test -match "FileCreateMode"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.4" + Task = "Ensure logging is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "4.2.1.5" + Task = "Ensure rsyslog is configured to send logs to a remote log host" + Test = { + $test = grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if($test -ne $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.1.6" + Task = "Ensure remote rsyslog messages are only accepted on designated log hosts" + Test = { + $test1 = grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + $test2 = grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if($test1 -match "ModLoad imtcp" -and $test2 -match "InputTCPServerRun 514"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.1" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $test = grep -E ^\s*ForwardToSyslog /etc/systemd/journald.conf + if($test -match "ForwardToSyslog=yes"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.2" + Task = "Ensure journald is configured to compress large log files" + Test = { + $test = grep -E ^\s*Compress /etc/systemd/journald.conf + if($test -match "Compress=yes"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.2.3" + Task = "Ensure journald is configured to write logfiles to persistent disk" + Test = { + $test = grep -E ^\s*Storage /etc/systemd/journald.conf + if($test -match "Storage=persistent"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure permissions on all logfiles are configured" + Test = { + $test = find /var/log -type f -perm /g+wx,o+rwx -exec ls -l '{}' \; + if($test -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "4.2.4" + Task = "Ensure logrotate is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled and running" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq $null -and $test2 -match "active (running)"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test = stat /etc/crontab + if($test -match "0600/-rw-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $test = stat /etc/cron.hourly/ + if($test -match "0700/drwx"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $test = stat /etc/cron.daily + if($test -match "0700/drwx"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $test = stat /etc/cron.weekly + if($test -match "0700/drwx"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $test = stat /etc/cron.weekly + if($test -match "0700/drwx"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $test = stat /etc/cron.weekly + if($test -match "0700/drwx"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure cron is restricted to authorized users" + Test = { + $test = stat /etc/cron.deny + if($test -match "cannot stat"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure cron is restricted to authorized users" + Test = { + $test1 = stat /etc/at.deny + $test2 = stat /etc/at.allow + if($test1 -match "cannot stat" -and $test2 -match "0600/-rw-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure permissions on /etc/ssh/sshd_config are configured" + Test = { + $test1 = stat /etc/ssh/sshd_config + if($test1 -match "0600/-rw-"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +### TODO ... +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure permissions on SSH private host key files are configured" + Test = { + return $retCompliant + } +} + +### TODO... +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + return $retCompliant + } +} + +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure SSH access is limited" + Test = { + $test = sshd -T | grep -E '^\s*(allow|deny)(users|groups)\s+\S+' + if($test -match "allowusers " -or $test -match "allowgroups " -or $test -match "denyusers " -or $test -match "denygroups "){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure SSH LogLevel is appropriate" + Test = { + $test = sshd -T | grep loglevel + if($test -match "loglevel\s+VERBOSE" -or $test -match "loglevel\s+INFO"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure SSH X11 forwarding is disabled" + Test = { + $test = sshd -T | grep -i x11forwarding + if($test -match "x11forwarding no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +### TODO +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure SSH MaxAuthTries is set to 4 or less" + Test = { + $test = sshd -T | grep maxauthtries | grep maxauthtries | cut -d ' ' -f 2 + if($test -le 4){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.8" + Task = "Ensure SSH IgnoreRhosts is enabled" + Test = { + $test = sshd -T | grep ignorerhosts + if($test -match "ignorehosts yes"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.9" + Task = "Ensure SSH HostbasedAuthentication is disabled" + Test = { + $test = sshd -T | grep hostbasedauthentication + if($test -match "hostbasedauthentication no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.10" + Task = "Ensure SSH root login is disabled" + Test = { + $test = sshd -T | grep permitrootlogin + if($test -match "permitrootlogin no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.11" + Task = "Ensure SSH PermitEmptyPasswords is disabled" + Test = { + $test = sshd -T | grep permitemptypasswords + if($test -match "permitemptypasswords no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.12" + Task = "Ensure SSH PermitUserEnvironment is disabled" + Test = { + $test = sshd -T | grep permituserenvironment + if($test -match "permituserenvironment no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.13" + Task = "Ensure only strong Ciphers are used" + Test = { + $test = sshd -T | grep ciphers + if($test -match "3des-cbc" -or $test -match "aes128-cbc" -or $test -match "aes192-cbc" -or $test -match "aes256-cbc"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.14" + Task = "Ensure only strong MAC algorithms are used" + Test = { + $test = sshd -T | grep -i "MACs" + if($test -match "hmac-md5" -or + $test -match "hmac-md5-96" -or + $test -match "hmac-ripemd160" -or + $test -match "hmac-sha1" -or + $test -match "hmac-sha1-96" -or + $test -match "umac-64@openssh.com" -or + $test -match "umac-128@openssh.com" -or + $test -match "hmac-md5-etm@openssh.com" -or + $test -match "hmac-md5-96-etm@openssh.com" -or + $test -match "hmac-ripemd160-etm@openssh.com" -or + $test -match "hmac-sha1-etm@openssh.com" -or + $test -match "hmac-sha1-96-etm@openssh.com" -or + $test -match "umac-64-etm@openssh.com" -or + $test -match "umac-128-etm@openssh.com"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.15" + Task = "Ensure only strong Key Exchange algorithms are used" + Test = { + $test = sshd -T | grep kexalgorithms + if($test -match "diffie-hellman-group1-sha1" -or + $test -match "diffie-hellman-group14-sha1" -or + $test -match "diffie-hellman-group-exchange-sha1"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.16" + Task = "Ensure SSH Idle Timeout Interval is configured" + Test = { + $test1 = sshd -T | grep clientaliveinterval | cut -d ' ' -f 2 + $test2 = sshd -T | grep clientaliveinterval | cut -d ' ' -f 2 + if($test1 -ge 1 -and $test1 -le 300 -and $test2 -ge 1 -and $test2 -le 3){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.17" + Task = "Ensure SSH LoginGraceTime is set to one minute or less" + Test = { + $test = sshd -T | grep logingracetime | cut -d ' ' -f 2 + if($test -ge 1 -and $test1 -le 60){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +if (Test-Path -Path '/etc/issue.net') { +[AuditTest] @{ + Id = "5.2.18" + Task = "Ensure SSH warning banner is configured" + Test = { + $test = sshd -T | grep banner + if($test -match "banner /etc/issue.net"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} +} + +[AuditTest] @{ + Id = "5.2.19" + Task = "Ensure SSH PAM is enabled" + Test = { + $test = sshd -T | grep -i usepam + if($test -match "usepam yes"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.20" + Task = "Ensure SSH AllowTcpForwarding is disabled" + Test = { + $test = sshd -T | grep -i allowtcpforwarding + if($test -match "allowtcpforwarding no"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.21" + Task = "Ensure SSH MaxStartups is configured" + Test = { + $test = sshd -T | grep -i maxstartups + if($test -match "maxstartups 10:30:60"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.2.22" + Task = "Ensure SSH MaxSessions is limited" + Test = { + $test = sshd -T | grep -i maxsessions | cut -d ' ' -f 2 + if($test -le 10){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +# unfertig; nochmal drüber gehen TODO +[AuditTest] @{ + Id = "5.3.1" + Task = "Ensure password creation requirements are configured" + Test = { + $test1 = grep -P '^\s*password\s+(requisite|required)\s+pam_cracklib.so\s+([^#]+\s+)*minlen=(1[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password + $test2 = grep -P '^\s*password\s+(?:requisite|required)\s+pam_cracklib\.so\s+(?:[^#]+\s+)*(?:(?!\2|\3|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?:(?!\1|\3|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?:(?!\1|\2|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?!\1|\2|\3)(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])' /etc/pam.d/common-password + if($test2 -match "dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1" -and $test1 -match "minlen=14"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +# unfertig; nochmal drüber gehen TODO +[AuditTest] @{ + Id = "5.3.2" + Task = "Ensure lockout for failed password attempts is configured" + Test = { + $test = grep -E '^\s*auth\s+\S+\s+pam_(tally2|unix)\.so' /etc/pam.d/login + if($test -match "deny=5"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.3.3" + Task = "Ensure password reuse is limited" + Test = { + $test = grep -P '^\s*password\s+(requisite|required)\s+pam_pwhistory\.so\s+([^#]+\s+)*remember=([5-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password | cut -d= -f2 + if($test -ge 5){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.1" + Task = "Ensure password hashing algorithm is SHA-512" + Test = { + $test = grep -Ei '^\s*^\s*ENCRYPT_METHOD\s+SHA512' /etc/login.defs + if($test -match "SHA512"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.2" + Task = "Ensure password expiration is 365 days or less" + Test = { + $test1 = grep ^\s*PASS_MAX_DAYS /etc/login.defs | cut -f2 + $test2_script = @' +#!/bin/bash +for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f5) +do + if [ $line -gt 365 ] + then + echo "FAIL" + fi +done +'@ + $test2 = bash -c $test2_script + if($test1 -gt 365 -or $test2 -match "FAIL"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.3" + Task = "Ensure minimum days between password changes is configured" + Test = { + $test1 = grep ^\s*PASS_MIN_DAYS /etc/login.defs | cut -f2 + $test2_script = @' +#!/bin/bash +for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f4) +do + if [ $line -lt 1 ] + then + echo "FAIL" + fi +done +'@ + $test2 = bash -c $test2_script + if($test1 -lt 1 -or $test2 -match "FAIL"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.4" + Task = "Ensure password expiration warning days is 7 or more" + Test = { + $test1 = grep ^\s*PASS_WARN_AGE /etc/login.defs | cut -f2 + $test2_script = @' +#!/bin/bash +for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f6) +do + if [ $line -lt 7 ] + then + echo "FAIL" + fi +done +'@ + $test2 = bash -c $test2_script + if($test1 -lt 7 -or $test2 -match "FAIL"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.5" + Task = "Ensure inactive password lock is 30 days or less" + Test = { + $test1 = useradd -D | grep INACTIVE | cut -d= -f2 + $test2_script = @' +#!/bin/bash +for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f7) +do + if [ $line -ge 30 ] + then + echo "FAIL" + fi +done +'@ + $test2 = bash -c $test2_script + if($test1 -gt 30 -or $test1 -eq -1 -or $test2 -match "FAIL"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.1.6" + Task = "Ensure all users last password change date is in the past" + Test = { + $test_script = @' +#!/bin/bash +for usr in $(cut -d: -f1 /etc/shadow); do + [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo "$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)"; done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.2" + Task = "Ensure system accounts are secured" + Test = { + $script1 = $scriptPath + "CIS-SEL15-5.4.2_1.sh" + $test1 = bash $script1 + $script2 = $scriptPath + "CIS-SEL15-5.4.2_2.sh" + $test2 = bash $script2 + if($test1 -eq $null -and $test2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.3" + Task = "Ensure default group for the root account is GID 0" + Test = { + $test = grep "^root:" /etc/passwd | cut -f4 + if($test -eq 0){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.4" + Task = "Ensure default user shell timeout is configured" + Test = { + $script = $scriptPath + "CIS-SEL15-5.4.4.sh" + $test1 = bash $script + $test2 = grep -PR '^\s*([^$#;]+\s+)*TMOUT=(9[0-9][1-9]|0+|[1-9]\d{3,})\b\s*(\S+\s*)*(\s+#.*)?$' /etc/profile* /etc/bashrc.bashrc* + if($test1 -match "configured in file: /etc/profile.d/" -and $test2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.4.5" + Task = "Ensure default user umask is configured" + Test = { + $test1 = grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc* + $test2 = grep -REi '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc* + if(($test1 -eq $null -or $test1 -match "No such file or directory") -and $test2 -match "UMASK\s*027"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "5.5" + Task = "Ensure root login is restricted to system console" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +#TODO +[AuditTest] @{ + Id = "5.6" + Task = "Ensure access to the su command is restricted" + Test = { + $test1 = grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc* + $test2 = grep -REi '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc* + if(($test1 -eq $null -or $test1 -match "No such file or directory") -and $test2 -match "UMASK\s*027"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +### Chapter 6 - System Maintenance + +[AuditTest] @{ + Id = "6.1.1" + Task = "Audit system file permissions" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat /etc/passwd + if($test1 -match "0644"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat /etc/shadow + if($test1 -match "0640"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.4" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat /etc/group + if($test1 -match "0644"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.5" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat /etc/passwd- + if($test1 -match "0644"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat /etc/shadow- + if($test1 -match "0640"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.7" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat /etc/group- + if($test1 -match "0644"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.8" + Task = "Ensure no world writable files exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + if($test1 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.9" + Task = "Ensure no unowned files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + if($test1 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.10" + Task = "Ensure no ungrouped files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup + if($test1 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.1.11" + Task = "Audit SUID executables" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.1.12" + Task = "Audit SGID executables" + Test = { + return $retNonCompliantManualReviewRequired + } +} + +[AuditTest] @{ + Id = "6.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.1.sh" + $test1 = bash $script1 + if($test1 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.2.sh" + $test1 = bash $script1 + if($test1 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.3" + Task = "Ensure root is the only UID 0 account" + Test = { + $test1_script = @' +#!/bin/bash +awk -F: '($3 == 0) { print $1 }' /etc/passwd +'@ + $test1 = bash -c $test1_script + if($test1 -match "root"){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.4" + Task = "Ensure root PATH Integrity" + Test = { + $test_script = @' +#!/bin/bash +if echo "$PATH" | grep -q "::" ; then + echo "Empty Directory in PATH (::)" +fi +if echo "$PATH" | grep -q ":$" ; then + echo "Trailing : in PATH" +fi +for x in $(echo "$PATH" | tr ":" " ") ; do + if [ -d "$x" ] ; then + ls -ldH "$x" | awk ' + $9 == "." {print "PATH contains current working directory (.)"} + $3 != "root" {print $9, "is not owned by root"} + substr($1,6,1) != "-" {print $9, "is group writable"} + substr($1,9,1) != "-" {print $9, "is world writable"}' + else + echo "$x is not a directory" + fi +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.5" + Task = "Ensure all users' home directories exist" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.5.sh" + $test = bash $script1 + if($test -match "does not exist"){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.6" + Task = "Ensure users' home directories permissions are 750 or more restrictive" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.6.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.7" + Task = "Ensure users own their home directories" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.7.sh" + $test = bash $script1 + if($test -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.8" + Task = "Ensure users' dot files are not group or world writable" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.8.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.9" + Task = "Ensure no users have .forward files" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.9.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.10" + Task = "Ensure no users have .netrc files" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.10.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.11" + Task = "Ensure users' .netrc Files are not group or world accessible" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.11.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.12" + Task = "Ensure no users have .rhosts files" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.12.sh" + $test = bash $script1 + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.13" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $test_script = @' +#!/bin/bash +for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.14" + Task = "Ensure no duplicate UIDs exist" + Test = { + $test_script = @' +#!/bin/bash +cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do + [ -z "$x" ] && break + set - $x + if (( $1 > 1 )); then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.15" + Task = "Ensure no duplicate GIDs exist" + Test = { + $test_script = @' +#!/bin/bash +cut -d: -f3 /etc/group | sort | uniq -d | while read x ; do + echo "Duplicate GID ($x) in /etc/group" +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.16" + Task = "Ensure no duplicate user names exist" + Test = { + $test_script = @' +#!/bin/bash +cut -d: -f1 /etc/passwd | sort | uniq -d | while read x ; do + echo "Duplicate login name ${x} in /etc/passwd" +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.17" + Task = "Ensure no duplicate group names exist" + Test = { + $test_script = @' +#!/bin/bash +cut -d: -f1 /etc/group | sort | uniq -d | while read x ; do + echo "Duplicate group name ${x} in /etc/group" +done +'@ + $test = bash -c $test_script + if($test -ne $null){ + return $retNonCompliant + } else { + return $retCompliant + } + } +} + +[AuditTest] @{ + Id = "6.2.18" + Task = "Ensure shadow group is empty" + Test = { + $script1 = $scriptPath + "CIS-SEL15-6.2.18_1.sh" + $test1 = bash $script1 + $script2 = $scriptPath + "CIS-SEL15-6.2.18_2.sh" + $test2 = bash $script2 + if($test1 -eq $null -and $test2 -eq $null){ + return $retCompliant + } else { + return $retNonCompliant + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Ubuntu Linux 20.04-CIS-1.1.0.ps1 b/ATAPAuditor/AuditGroups/Ubuntu Linux 20.04-CIS-1.1.0.ps1 new file mode 100644 index 0000000..a227dfc --- /dev/null +++ b/ATAPAuditor/AuditGroups/Ubuntu Linux 20.04-CIS-1.1.0.ps1 @@ -0,0 +1,5012 @@ +function Get-IPv6Disabled{ + $test1 = sysctl net.ipv6.conf.all.disable_ipv6 + $test2 = sysctl net.ipv6.conf.default.disable_ipv6 + $grep = grep -E '^\s*net\.ipv6\.conf\.(all|default)\.disable_ipv6\s*=\s*1\b(\s+#.*)?$'/etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d: -f2 + if($test1 -match "net.ipv6.conf.all.disable_ipv6 = 1" -and $test2 -match "net.ipv6.conf.default.disable_ipv6 = 1" -and $grep -match "net.ipv6.conf.all.disable_ipv6 = 1" -and $grep -match "net.ipv6.conf.default.disable_ipv6 = 1"){ + return $true + } + return $false +} +$isIPv6Disabled = Get-IPv6Disabled + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure mounting of cramfs filesystems is disabled" + Test = { + $result1 = modprobe -n -v cramfs | grep -E '(cramfs|install)' + $result2 = lsmod | grep cramfs + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure mounting of freevxfs filesystems is disabled" + Test = { + $result1 = modprobe -n -v freevxfs | grep -E '(freevxfs|install)' + $result2 = lsmod | grep freevxfs + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure mounting of jffs2 filesystetms is disabled" + Test = { + $result1 = modprobe -n -v jffs2 | grep -E '(jffs2|install)' + $result2 = lsmod | grep jffs2 + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.4" + Task = "Ensure mounting of hfs filesystetms is disabled" + Test = { + $result1 = modprobe -n -v hfs | grep -E '(hfs|install)' + $result2 = lsmod | grep hfs + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.5" + Task = "Ensure mounting of hfsplus filesystetms is disabled" + Test = { + $result1 = modprobe -n -v hfsplus | grep -E '(hfsplus|install)' + $result2 = lsmod | grep hfsplus + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.6" + Task = "Ensure mounting of squashfs filesystems is disabled" + Test = { + $result1 = modprobe -n -v squashfs | grep -E '(squashfs|install)' + $result2 = lsmod | grep squashfs + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.1.7" + Task = "Ensure mounting of udf filesystetms is disabled" + Test = { + $result1 = modprobe -n -v udf | grep -E '(udf|install)' + $result2 = lsmod | grep udf + + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.2" + Task = "Ensure /tmp is configured" + Test = { + $result = findmnt -n /tmp + if($result -match "/tmp"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.3" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $result = findmnt -n /tmp + if($result -match "nodev"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.4" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $result = findmnt -n /tmp + if($result -match "nosuid"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.5" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt -n /tmp + if($result -match "noexec"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.6" + Task = "Ensure /dev/shm is configured" + Test = { + $result = findmnt -n /dev/shm + if($result -match "/dev/shm"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.7" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $result = findmnt -n /dev/shm + if($result -match "nodev"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.8" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $result = findmnt -n /dev/shm + if($result -match "nosuid"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.9" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $result = findmnt -n /dev/shm | grep -v noexec + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.10" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt /var + if($result -match "/var"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.11" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt /var/tmp + if($result -match "/var/tmp"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.12" + Task = "Ensure /var/tmp partition includes the nodev option" + Test = { + $result = findmnt /var/tmp + if($result -match "nodev"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.13" + Task = "Ensure /var/tmp partition includes the nosuid option" + Test = { + $result = findmnt /var/tmp + if($result -match "nosuid"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.14" + Task = "Ensure /var/tmp partition includes the noexec option" + Test = { + $result = findmnt /var/tmp + if($result -match "noexec"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.15" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt /var/log + if($result -match "/var/log"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.16" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt /var/log/audit + if($result -match "/var/log/audit"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.17" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt /home + if($result -match "/home"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.18" + Task = "Ensure /home partition includes the nodev option" + Test = { + $result = findmnt /home + if($result -match "nodev"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.19" + Task = "Ensure nodev option set on removable media partitions" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh" + $result=bash $path + foreach($line in $result){ + if(!($line -match "nodev")){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.20" + Task = "Ensure nosuid option set on removable media partitions" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh" + $result=bash $path + foreach($line in $result){ + if(!($line -match "nosuid")){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.21" + Task = "Ensure noexec option set on removable media partitions" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh" + $result=bash $path + foreach($line in $result){ + if(!($line -match "noexec")){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.1.22" + Task = "Ensure sticky bit is set on all world-writable directories" + Test = { + try{ + $result = bash -c "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2> /dev/null" + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "1.1.23" + Task = "Disable Automounting" + Test = { + $result = dpkg -l | grep -o autofs + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + else{ + $result = systemctl is-enabled autofs + if($result -match "No such file or directory"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.1.24" + Task = "Disable USB Storage" + Test = { + $result1 = modprobe -n -v usb-storage + $result2 = lsmod | grep usb-storage + if($result1 -match "install /bin/true" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.2.1" + Task = "Ensure package manager repositories are configured" + Test = { + $result = apt-cache policy + if($result -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.2.2" + Task = "Ensure GPG keys are configured" + Test = { + $result = apt-key list + if($result -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.3.1" + Task = "Ensure AIDE is installed" + Test = { + $result1 = dpkg -l aide | grep '^ii' + $result2 = dpkg -l aide-common | grep '^ii' + if($result1 -eq $null -or $result2 -eq $null){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.3.2" + Task = "Ensure filesystem integrity is regularly checked" + Test = { + $result = grep -Ers '^([^#]+\s+)?(\/usr\/s?bin\/|^\s*)aide(\.wrapper)?\s(--check|\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/ + if($result -eq $null){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure permissions on bootloader config are not overridden" + Test = { + $output = grep -E '^\s*chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new' -A 1 -B1 /usr/sbin/grub-mkconfig + if($output -match 'hmod 400 ${grub_cfg}.new || true'){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure bootloader password is set" + Test = { + $result1 = grep "^set superusers" /boot/grub/grub.cfg + $result2 = grep "^password" /boot/grub/grub.cfg + if($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.3" + Task = "Ensure permissions on bootloader config are configured" + Test = { + $result = stat /boot/grub/grub.cfg | grep "Uid: ( 0/ root) Gid: ( 0/ root)" + $result = $result | cut -d '(' -f 2 + $result = $result | cut -d '/' -f 1 + + if($result -eq "0400" -or $result[1] -le 4){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.4.4" + Task = "Ensure authentication required for single user mode" + Test = { + $result = grep -Eq '^root:\$[0-9]' /etc/shadow || echo "root is locked" + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure XD/NX support is enabled" + Test = { + $result = bash -c '[[ -n $(grep noexec[0-9]*=off /proc/cmdline) || -z $(grep -E -i " (pae|nx)" /proc/cpuinfo) || -n $(grep "\\sNX\\s.*\\sprotection:\\s" /var/log/dmesg | grep -v active) ]] && echo "NX Protection is not active"' + + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure address space layout randomization (ASLR) is enabled" + Test = { + $result1 = sysctl kernel.randomize_va_space + $result2 = grep -Es "^\s*kernel\.randomize_va_space\s*=\s*([0-1]|[3-9]|[1-9][0-9]+)" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + if($result1 -match "kernel.randomize_va_space = 2" -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure prelink is not installed" + Test = { + $result = dpkg -l | grep -o prelink + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.5.4" + Task = "Ensure core dumps are restricted" + Test = { + try{ + $result1 = grep -Es '^(\*|\s).*hard.*core.*(\s+#.*)?$' /etc/security/limits.conf /etc/security/limits.d/* + $result2 = sysctl fs.suid_dumpable + $result3 = grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/* + try{ + $result4 = systemctl is-enabled coredump.service + $message = "Compliant" + if($result4 -match "enabled" -or $result4 -match "masked" -or $result4 -match "disabled"){ + $message = "systemd-coredump is installed" + } + } + catch{ + $message = "systemd-coredump not installed" + } + if($result1 -match ".*\s*hard\s*core\s*0{1}?\s*" -and $result2 -match "fs.suid_dumpable = 0" -and $result3 -match "fs.suid_dumpable = 0"){ + return @{ + Message = $message + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "1.6.1.1" + Task = "Ensure AppArmor is installed" + Test = { + $result = dpkg -s apparmor | grep -E '(Status:|not installed)' + + if($result -match "Status: install ok installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.2" + Task = "Ensure AppArmor is enabled in the bootloader configuration" + Test = { + $result1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1" + $result2 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "security=apparmor" + if($result1 -eq $null -and $result2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.3" + Task = "Ensure all AppArmor Profiles are in enforce or complain mode" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + $profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1 + $result = expr $profileMode3 + $profileMode2 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if($result -eq $profileMode1 -and $unconfinedProcesses -eq 0){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.6.1.4" + Task = "Ensure all AppArmor Profiles are enforcing" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if($profileMode1 -eq $profileMode2 -and $unconfinedProcesses -eq 0){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure message of the day is configured properly" + Test = { + $output = grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd + + if($output -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + + if($output1 -ne $null -and $output2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue.net + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + + if($output1 -ne $null -and $output2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure permissions on /etc/motd are configured" + Test = { + $output = stat -L /etc/motd | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + + if($output -eq $null -or $output -match "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure permissions on /etc/issue are configured" + Test = { + $output = stat -L /etc/issue | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + + if($output -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.7.6" + Task = "Ensure permissions on /etc/issue.net are configured" + Test = { + $output = stat -L /etc/issue.net | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)" + + if($output -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.1" + Task = "Ensure GNOME Display Manager is removed" + Test = { + $test1 = dpkg -l | grep -o gdm3 + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.2" + Task = "Ensure GNOME Display Manager is removed" + Test = { + if(Test-Path "/etc/gdm3/greeter.dconf-defaults"){ + $content = cat /etc/gdm3/greeter.dconf-defaults + $line1 = $content | grep "banner-message-enable=true" + $line2 = $content | grep "banner-message-text=" + if($line1 -ne $null -and $line1[0] -ne '#' -and $line2 -ne $null -and $line2[0] -ne '#'){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.3" + Task = "Ensure disable-user-list is enabled" + Test = { + if(Test-Path "/etc/gdm3/greeter.dconf-defaults"){ + $content = cat /etc/gdm3/greeter.dconf-defaults + $line = $content | grep "disable-user-list=true" + if($line -ne $null -and $line[0] -ne '#'){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.8.4" + Task = "Ensure XDCMP is not enabled" + Test = { + $output = grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm3/custom.conf + if($output -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "1.9" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + $output = apt -s upgrade + $output = $? + if($output -match "True"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} + +[AuditTest] @{ + Id = "2.1.1.1" + Task = "Ensure time synchronization is in use" + Test = { + $test1 = systemctl is-enabled systemd-timesyncd + $test2 = dpkg -s ntp + $test3 = dpkg -s chrony + if($test1 -match "enabled" -or $test2 -match "Status: install ok installed" -or $test3 -match "Status: install ok installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +$ntp = dpkg -s ntp +$ntp = $? +$chrony = dpkg -s chrony +$chrony = $? +$timesyncd = systemctl is-enabled systemd-timesyncd + +if($ntp -match "False" -and $chrony -match "False"){ + [AuditTest] @{ + Id = "2.1.1.2" + Task = "Ensure systemd-timesyncd is configured" + Test = { + $test1 = systemctl is-enabled systemd-timesyncd.service + $time = timedatectl status + if($test1 -match "enabled" -and $time -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } +} +elseif($ntp -match "False" -and $timesyncd -notmatch "enabled"){ + [AuditTest] @{ + Id = "2.1.1.3" + Task = "Ensure chrony is configured" + Test = { + $test1 = dpkg -s ntp | grep -E '(Status:|not installed)' + $test2 = systemctl is-enabled systemd-timesyncd + $test3 = grep -E "^(server|pool)" /etc/chrony/chrony.conf + $test4 = ps -ef | grep chronyd | grep "_chrony" + if($test1 -match "package 'ntp' is not installed" -and $test2 -match "masked" -and $test3 -ne $null -and $test4 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } +} +elseif($chrony -match "False" -and $timesyncd -notmatch "enabled"){ + [AuditTest] @{ + Id = "2.1.1.4" + Task = "Ensure ntp is configured" + Test = { + $test1 = grep "^restrict" /etc/ntp.conf + $test2 = grep -E "^(server|pool)" /etc/ntp.conf + $test3 = grep "RUNASUSER=ntp" /etc/init.d/ntp + if($test1 -match "restrict -4 default kod notrap nomodify nopeer noquery limited" -and $test1 -match "restrict -6 default kod notrap nomodify nopeer noquery limited" -and $test2 -ne $null -and $test3 -match "RUNASUSER=ntp"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "2.1.2" + Task = "Ensure X Window System is not installed" + Test = { + $test1 = dpkg -l | grep -o xserver-xorg* + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.3" + Task = "Ensure Avahi Server is not installed" + Test = { + $status = dpkg -l | grep -o avahi-daemon + if($status -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.4" + Task = "Ensure CUPS is not installed" + Test = { + $test1 = dpkg -s cups + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.5" + Task = "Ensure DHCP Server is not installed" + Test = { + $test1 = dpkg -l | grep -o isc-dhcp-server + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.6" + Task = "Ensure LDAP server is not installed" + Test = { + $test1 = dpkg -l | grep -o slapd + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.7" + Task = "Ensure NFS is not installed" + Test = { + $test1 = dpkg -l | grep -o nfs-kernel-server + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.8" + Task = "Ensure DNS Server is not installed" + Test = { + $test1 = dpkg -l | grep -o bind9 + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.9" + Task = "Ensure FTP Server is not installed" + Test = { + $test1 = dpkg -l | grep -o vsftpd + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.10" + Task = "Ensure HTTP server is not installed" + Test = { + $test1 = dpkg -l | grep -o apache2 + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.11" + Task = "Ensure IMAP and POP3 server are not installed" + Test = { + $test1 = dpkg -l | grep -o dovecot-imapd + $test2 = dpkg -l | grep -o dovecot-pop3d + if($test1 -eq $null -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.12" + Task = "Ensure Samba is not installed" + Test = { + dpkg -s samba | grep -E '(Status:|not installed)' + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.13" + Task = "Ensure HTTP Proxy Server is not installed" + Test = { + $test1 = dpkg -l | grep -o squid + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.14" + Task = "Ensure SNMP Server is not installed" + Test = { + $test1 = dpkg -l | grep -o snmpd + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.15" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $test1 = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.16" + Task = "Ensure rsync service is not installed" + Test = { + dpkg -s rsync | grep -E '(Status:|not installed)' + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.1.17" + Task = "Ensure NIS Server is not installed" + Test = { + $test1 = dpkg -s nis + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure NIS Client is not installed" + Test = { + $test1 = dpkg -s nis + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure rsh client is not installed" + Test = { + $test1 = dpkg -s rsh-client + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure talk client is not installed" + Test = { + $test1 = dpkg -s talk + $test1 = $? + if($test1 -match "False"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure telnet client is not installed" + Test = { + $test1 = dpkg -l | grep -o telnet + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure LDAP client is not installed" + Test = { + $test1 = dpkg -l | grep -o ldap-utils + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure RPC is not installed" + Test = { + $test1 = dpkg -l | grep -o rpcbind + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "2.3" + Task = "Ensure nonessential services are removed or masked" + Test = { + $test1 = lsof -i -P -n | grep -v "(ESTABLISHED)" + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "Disable IPv6" + Test = { + if($isIPv6Disabled -eq $true){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-3.1.2.sh" + $result=bash $path + if($result -match "Wireless is not enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Wireless interfaces are active" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure packet redirect sending is disabled" + Test = { + $test1 = sysctl net.ipv4.conf.all.send_redirects + $test2 = sysctl net.ipv4.conf.default.send_redirects + $test3 = grep -E "^\s*net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep -E "^\s*net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.send_redirects = 0" -and $test2 -match "net.ipv4.conf.default.send_redirects = 0" -and $test3 -match "net.ipv4.conf.all.send_redirects = 0" -and $test4 -match "net.ipv4.conf.default.send_redirects = 0"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure IP forwarding is disabled" + Test = { + $test1 = sysctl net.ipv4.ip_forward + $test2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + if($test1 -match "net.ipv4.ip_forward = 0" -and $test2 -eq $null){ + if($isIPv6Disabled -ne $true){ + $test1 = sysctl net.ipv6.conf.all.forwarding + $test2 = grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + if($test1 -match "net.ipv6.conf.all.forwarding = 0" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else{ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure source routed packets are not accepted" + Test = { + $test1 = sysctl net.ipv4.conf.all.accept_source_route + $test2 = sysctl net.ipv4.conf.default.accept_source_route + $test3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $test3 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test4 -match "net.ipv4.conf.default.accept_source_route = 0"){ + if($isIPv6Disabled -eq $false){ + $test1 = sysctl net.ipv6.conf.all.accept_source_route + $test2 = sysctl net.ipv6.conf.default.accept_source_route + $test3 = grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv6.conf.all.accept_source_route = 0" -and $test2 -match "net.ipv6.conf.default.accept_source_route = 0" -and $test3 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test4 -match "net.ipv6.conf.default.accept_source_route = 0"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else{ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure ICMP redirects are not accepted" + Test = { + $test1 = sysctl net.ipv4.conf.all.accept_redirects + $test2 = sysctl net.ipv4.conf.default.accept_redirects + $test3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $test2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $test3 -match "net.ipv4.conf.all.accept_redirects = 0" -and $test4 -match "net.ipv4.conf.default.accept_redirects = 0"){ + if($isIPv6Disabled -eq $false){ + $test1 = sysctl net.ipv6.conf.all.accept_redirects + $test2 = sysctl net.ipv6.conf.default.accept_redirects + $test3 = grep "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv6.conf.all.accept_redirects = 0" -and $test2 -match "net.ipv6.conf.default.accept_redirects = 0" -and $test3 -match "net.ipv6.conf.all.accept_redirects = 0" -and $test4 -match "net.ipv6.conf.default.accept_redirects = 0"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else{ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure secure ICMP redirects are not accepted" + Test = { + $test1 = sysctl net.ipv4.conf.all.secure_redirects + $test2 = sysctl net.ipv4.conf.default.secure_redirects + $test3 = grep "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.secure_redirects = 0" -and $test2 -match "net.ipv4.conf.default.secure_redirects = 0" -and $test3 -match "net.ipv4.conf.all.secure_redirects = 0" -and $test4 -match "net.ipv4.conf.default.secure_redirects = 0"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure suspicious packets are logged" + Test = { + $test1 = sysctl net.ipv4.conf.all.log_martians + $test2 = sysctl net.ipv4.conf.default.log_martians + $test3 = grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.log_martians = 1" -and $test2 -match "net.ipv4.conf.default.log_martians = 1" -and $test3 -match "net.ipv4.conf.all.log_martians = 1" -and $test4 -match "net.ipv4.conf.default.log_martians = 1"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} + +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure broadcast ICMP requests are ignored" + Test = { + $test1 = sysctl net.ipv4.icmp_echo_ignore_broadcasts + $test2 = grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1" -and $test2 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure bogus ICMP responses are ignored" + Test = { + $test1 = sysctl net.ipv4.icmp_ignore_bogus_error_responses + $test2 = grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1" -and $test2 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure Reverse Path Filtering is enabled" + Test = { + $test1 = sysctl net.ipv4.conf.all.rp_filter + $test2 = sysctl net.ipv4.conf.default.rp_filter + $test3 = grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.conf.all.rp_filter = 1" -and $test2 -match "net.ipv4.conf.default.rp_filter = 1" -and $test3 -match "net.ipv4.conf.all.rp_filter=1" -and $test4 -match "net.ipv4.conf.default.rp_filter=1"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure TCP SYN Cookies is enabled" + Test = { + $test1 = sysctl net.ipv4.tcp_syncookies + $test2 = grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv4.tcp_syncookies = 1" -and $test2 -match "net.ipv4.tcp_syncookies = 1"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure IPv6 router advertisements are not accepted" + Test = { + $test1 = sysctl net.ipv6.conf.all.accept_ra + $test2 = sysctl net.ipv6.conf.default.accept_ra + $test3 = grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + $test4 = grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + if($test1 -match "net.ipv6.conf.all.accept_ra = 0" -and $test2 -match "net.ipv6.conf.default.accept_ra = 0" -and $test3 -match "net.ipv6.conf.all.accept_ra = 0" -and $test4 -match "net.ipv6.conf.default.accept_ra = 0"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.4.1" + Task = "Ensure DCCP is disabled" + Test = { + $test1 = modprobe -n -v dccp + $test2 = lsmod | grep dccp + if($test1 -match "install /bin/true" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.4.2" + Task = "Ensure SCTP is disabled" + Test = { + $test1 = modprobe -n -v sctp | grep -E '(sctp|install)' + $test2 = lsmod | grep sctp + if($test1 -match "install /bin/true" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.4.3" + Task = "Ensure RDS is disabled" + Test = { + $test1 = modprobe -n -v rds + $test2 = lsmod | grep rds + if($test1 -match "install /bin/true" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.4.4" + Task = "Ensure TIPC is disabled" + Test = { + $test1 = modprobe -n -v tipc | grep -E '(tipc|install)' + $test2 = lsmod | grep tipc + if($test1 -match "install /bin/true" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.1" + Task = "Ensure ufw is installed" + Test = { + $test1 = dpkg -s ufw | grep 'Status: install' + if($test1 -match "Status: install ok installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.2" + Task = "Ensure iptables-persistent is not installed with ufw" + Test = { + $test1 = dpkg -l | grep -o iptables-persistent + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.3" + Task = "Ensure ufw service is enabled" + Test = { + $test1 = systemctl is-enabled ufw + $test1 = $? + $test2 = ufw status | grep Status + if($test1 -match "True" -and $test2 -match "Status: active"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.4" + Task = "Ensure ufw loopback traffic is configured" + Test = { + $test1 = ufw status verbose + $result1 = $test1 -match "^Anywhere on lo\s+ALLOW IN\s+Anywhere$" + $result2 = $test1 -match "^Anywhere\s+DENY IN\s+127.0.0.0/8$" + $result3 = $test1 -match "^Anywhere (v6) on lo\s+ALLOW IN\s+Anywhere (v6)$" + $result4 = $test1 -match "^Anywhere (v6)\s+DENY IN\s+::1$" + $result5 = $test1 -match "^Anywhere\s+ALLOW OUT\s+Anywhere on lo$" + $result6 = $test1 -match "^Anywhere (v6)\s+ALLOW OUT\s+Anywhere (v6) on lo$" + if($result1 -ne $null -and $result2 -ne $null -and $result3 -ne $null -and $result4 -ne $null -and $result5 -ne $null -and $result6 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.5" + Task = "Ensure ufw outbound connections are configured" + Test = { + $test1 = ufw status numbered + if($test1 -notmatch "Status: inactive"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.1.7" + Task = "Ensure ufw default deny firewall policy" + Test = { + $test1 = ufw status verbose + if($test1 -match "deny" -or $test1 -match "reject"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.2.1" + Task = "Ensure nftables is installed" + Test = { + $test1 = dpkg -l | grep -o nftables + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.2.2" + Task = "Ensure ufw is uninstalled or disabled with nftables" + Test = { + $test1 = dpkg-query -s ufw + $test1 = $? + $test2 = dpkg-query -s nftables + $test2 = $? + if($test1 -match "True" -and $test2 -match "True"){ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "3.5.2.3" + Task = "Ensure iptables are flushed with nftables" + Test = { + $test1 = iptables -L + $test2 = ip6tables -L + if($test1 -notmatch "target" -and $test2 -notmatch "target"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.2.4" + Task = "Ensure a nftables table exists" + Test = { + try{ + $test1 = nft list tables + if($test1 -match "table"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.5" + Task = "Ensure nftables base chains exist" + Test = { + try{ + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.6" + Task = "Ensure nftables loopback traffic is configured" + Test = { + try{ + if($isIPv6Disabled -ne $true){ + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + else{ + $test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + if($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop'){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.7" + Task = "Ensure nftables outbound and established connections are configured" + Test = { + try{ + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + $test2 = nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + if($test1 -match "ip protocol tcp ct state established accept" -and $test1 -match "p protocol udp ct state established accept" -and $test1 -match "ip protocol icmp ct state established accept" -and $test2 -match "ip protocol tcp ct state established,related,new accep" -and $test2 -match "ip protocol udp ct state established,related,new accept" -and $test2 -match "ip protocol icmp ct state established,related,new accept"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.8" + Task = "Ensure nftables default deny firewall policy" + Test = { + try{ + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "policy drop" -and $test2 -match "policy drop" -and $test3 -match "policy drop"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "3.5.2.9" + Task = "Ensure nftables service is enabled" + Test = { + $test1 = systemctl is-enabled nftables + if($test1 -match "enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.1" + Task = "Ensure iptables packages are installed" + Test = { + $test1 = apt list iptables iptables-persistent + $test1 = $? + if($test1 -match "True"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.2" + Task = "Ensure nftables is not installed with iptables" + Test = { + $test1 = dpkg -s nftables + if($test1 -match "package 'nftables' is not installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.1.3" + Task = "Ensure ufw is uninstalled or disabled with iptables" + Test = { + $test1 = dpkg -l | grep -o ufw + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.2.1" + Task = "Ensure iptables loopback traffic is configured" + Test = { + $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" + $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" + if($test1 -ne $null -and $test2 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.2.2" + Task = "Ensure iptables outbound and established connections are configured" + Test = { + $test1 = iptables -L -v -n + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.2.3" + Task = "Ensure iptables default deny firewall policy" + Test = { + $output = iptables -L + $test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $res1 = $? + $test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $res2 = $? + $test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $res3 = $? + if($res1 -match "True" -and $res2 -match "True" -and $res3 -match "True"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.5.3.3.3" + Task = "Ensure ip6tables default deny firewall policy" + Test = { + $output = ip6tables -L + $test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $res1 = $? + $test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $res2 = $? + $test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $res3 = $? + if($isIPv6Disabled -eq $true){ + return @{ + Message = "Compliant" + Status = "True" + } + } + if($res1 -match "True" -and $res2 -match "True" -and $res3 -match "True"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.1" + Task = "Ensure auditd is installed" + Test = { + $test1 = dpkg -l | grep -o auditd + $test2 = dpkg -l | grep -o audispd-plugins + if($test1 -ne $null -and $test2 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.2" + Task = "Ensure auditd service is enabled" + Test = { + $test1 = systemctl is-enabled auditd + if($test1 -match "enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.3" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $test1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "audit=1" + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.1.4" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $test1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "audit_backlog_limit=" + $test2 = grep "^\s*linux" /boot/grub/grub.cfg | grep "audit_backlog_limit=" | sed 's/^.*\(audit_backlog_limit=[\/a-z]*\).*$/\1/' | cut -f2 -d'=' + $test2 = [int] $test2 + if($test1 -eq $null -and $test2 -ge 8192){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + $test1 = grep max_log_file /etc/audit/auditd.conf + if($test1 -match "max_log_file"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $test1 = grep max_log_file_action /etc/audit/auditd.conf + if($test1 -match "max_log_file_action = keep_logs"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.1.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep space_left_action /etc/audit/auditd.conf + $test2 = grep action_mail_acct /etc/audit/auditd.conf + $test3 = grep admin_space_left_action /etc/audit/auditd.conf + if($test1 -match "space_left_action = email" -and $test2 -match "action_mail_acct = root" -and $test3 -match "admin_space_left_action = halt"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} + +[AuditTest] @{ + Id = "4.1.3" + Task = "Ensure events that modify date and time information are collected" + Test = { + try{ + $bitVersion = uname -a + #if 32 bit + if($bitVersion -match "i386"){ + $output = grep time-change /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" + $test2 = $output -match "-a always,exit -F arch=b32 -S clock_settime -k time-change" + $test3 = $output -match "-w /etc/localtime -p wa -k time-change" + + $output2 = auditctl -l | grep time-change + $test4 = $output2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" + $test5 = $output2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" + $test6 = $output2 -match "-w /etc/localtime -p wa -k time-change" + + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + #64 bit + elseif($bitVersion -match "x86_64"){ + $output = grep time-change /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" + $test2 = $output -match "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" + $test3 = $output -match "-a always,exit -F arch=b64 -S clock_settime -k time-change" + $test4 = $output -match "-a always,exit -F arch=b32 -S clock_settime -k time-change" + $test5 = $output -match "-w /etc/localtime -p wa -k time-change" + $output2 = auditctl -l | grep time-change + $test6 = $output2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" + $test7 = $output2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" + $test8 = $output2 -match "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" + $test9 = $output2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" + $test10 = $output2 -match "-w /etc/localtime -p wa -k time-change" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.4" + Task = "Ensure events that modify user/group information are collected" + Test = { + try{ + $output = grep identity /etc/audit/rules.d/*.rules + $test1 = $output -match "-w /etc/group -p wa -k identity" + $test2 = $output -match "-w /etc/passwd -p wa -k identity" + $test3 = $output -match "-w /etc/gshadow -p wa -k identity" + $test4 = $output -match "-w /etc/shadow -p wa -k identity" + $test5 = $output -match "-w /etc/security/opasswd -p wa -k identity" + $output2 = auditctl -l | grep identity + $test6 = $output2 -match "-w /etc/group -p wa -k identity" + $test7 = $output2 -match "-w /etc/passwd -p wa -k identity" + $test8 = $output2 -match "-w /etc/gshadow -p wa -k identity" + $test9 = $output2 -match "-w /etc/shadow -p wa -k identity" + $test10 = $output2 -match "-w /etc/security/opasswd -p wa -k identity" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + try{ + $bitVersion = uname -a + #if 32 bit + if($bitVersion -match "i386"){ + $output = grep system-locale /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + $test2 = $output -match "-w /etc/issue -p wa -k system-locale" + $test3 = $output -match "-w /etc/issue.net -p wa -k system-locale" + $test4 = $output -match "-w /etc/hosts -p wa -k system-locale" + $test5 = $output -match "-w /etc/network -p wa -k system-locale" + $output2 = auditctl -l | grep system-locale + $test6 = $output2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale" + $test7 = $output2 -match "-w /etc/issue -p wa -k system-locale" + $test8 = $output2 -match "-w /etc/issue.net -p wa -k system-locale" + $test9 = $output2 -match "-w /etc/hosts -p wa -k system-locale" + $test10 = $output2 -match "-w /etc/network -p wa -k system-locale" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + #64 bit + elseif($bitVersion -match "x86_64"){ + $output = grep system-locale /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" + $test1_2 = $output -match "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" + $test2 = $output -match "-w /etc/issue -p wa -k system-locale" + $test3 = $output -match "-w /etc/issue.net -p wa -k system-locale" + $test4 = $output -match "-w /etc/hosts -p wa -k system-locale" + $test5 = $output -match "-w /etc/network -p wa -k system-locale" + $output2 = auditctl -l | grep system-locale + $test6 = $output2 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale" + $test6_2 = $output2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale" + $test7 = $output2 -match "-w /etc/issue -p wa -k system-locale" + $test8 = $output2 -match "-w /etc/issue.net -p wa -k system-locale" + $test9 = $output2 -match "-w /etc/hosts -p wa -k system-locale" + $test10 = $output2 -match "-w /etc/network -p wa -k system-locale" + if($test1 -ne $null -and $test1_2 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test6_2 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.6" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + try{ + $output = grep MAC-policy /etc/audit/rules.d/*.rules + $test1 = $output -match "-w /etc/apparmor/ -p wa -k MAC-policy" + $test2 = $output -match "-w /etc/apparmor.d/ -p wa -k MAC-policy" + $output2 = auditctl -l | grep MAC-policy + $test3 = $output2 -match "-w /etc/apparmor -p wa -k MAC-policy" + $test4 = $output2 -match "-w /etc/apparmor.d -p wa -k MAC-policy" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.7" + Task = "Ensure login and logout events are collected" + Test = { + try{ + $output = grep logins /etc/audit/rules.d/*.rules + $test1 = $output -match "-w /var/log/faillog -p wa -k logins" + $test2 = $output -match "-w /var/log/lastlog -p wa -k logins" + $test3 = $output -match "-w /var/log/tallylog -p wa -k logins" + $output2 = auditctl -l | grep logins + $test4 = $output2 -match "-w /var/log/faillog -p wa -k logins" + $test5 = $output2 -match "-w /var/log/lastlog -p wa -k logins" + $test6 = $output2 -match "-w /var/log/tallylog -p wa -k logins" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.8" + Task = "Ensure session initiation information is collected" + Test = { + try{ + $output = grep -E '(session|logins)' /etc/audit/rules.d/*.rules + $test1 = $output -match "-w /var/run/utmp -p wa -k session" + $test2 = $output -match "-w /var/log/wtmp -p wa -k logins" + $test3 = $output -match "-w /var/log/btmp -p wa -k logins" + $output2 = auditctl -l | grep -E '(session|logins)' + $test4 = $output2 -match "-w /var/run/utmp -p wa -k session" + $test5 = $output2 -match "-w /var/log/wtmp -p wa -k logins" + $test6 = $output2 -match "-w /var/log/btmp -p wa -k logins" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + try{ + $bitVersion = uname -a + #if 32 bit + if($bitVersion -match "i386"){ + $output = grep perm_mod /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test2 = $output -match "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test3 = $output -match "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295" + $test4 = $output -match "-k perm_mod" + $output2 = auditctl -l | grep perm_mod + $test5 = $output2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1" + $test6 = $output2 -match "-F key=perm_mod" + $test7 = $output2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test8 = $output2 -match "-a always,exit -F arch=b32 -S" + $test9 = $output2 -match "setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" + if($test1 -ne $null -and $test1_2 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test6_2 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null){ + + return @{ + Message = "Compliant" + Status = "True" + } + } + } + #64 Bit + elseif($bitVersion -match "x86_64"){ + $output = grep perm_mod /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test2 = $output -match "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test3 = $output -match "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test4 = $output -match "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" + $test5 = $output -match "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295" + $test6 = $output -match "-k perm_mod" + $test7 = $output -match "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295" + $test8 = $output -match "-k perm_mod" + $output2 = auditctl -l | grep perm_mod + $test9 = $output2 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test10 = $output2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test11 = $output2 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test12 = $output2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test13 = $output2 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" + $test14 = $output2 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null -and $test11 -ne $null -and $test12 -ne $null -and $test13 -ne $null -and $test14 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.10" + Task = "Ensure unsuccessful unauthorized file access attempts are collected" + Test = { + try{ + $bitVersion = uname -a + if($bitVersion -match "i386"){ + $output = grep access /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" + $test2 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" + $output2 = auditctl -l | grep access + $test3 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" + $test4 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + elseif($bitVersion -match "x86_64"){ + $output = grep access /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" + $test2 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" + $test3 = $output -match "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" + $test4 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" + $output2 = auditctl -l | grep access + $test5 = $output2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" + $test6 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" + $test7 = $output2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" + $test8 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.11" + Task = "Ensure use of privileged commands is collected" + Test = { + $results = @() + $mountPoints = mount | grep -v "/var/lib/snapd" | grep -v "cgroup on " | grep -v "noexec" | grep -v " fuse" | cut -f 3 -d ' ' + foreach($mountPoint in $mountPoints){ + $res=bash -c "find $($mountPoint) -xdev \( -perm -4000 -o -perm -2000 \) -type f" + $results += $res | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ -k privileged" }' + } + $viablePaths = @() + $paths = @() + foreach($element in $results){ + $viablePaths += $element | cut -d ' ' -f 4 | cut -d '=' -f 2 | grep "/etc/audit/rules.d/*.rules" + $paths += $element | cut -d ' ' -f 4 | cut -d '=' -f 2 | grep -v "/etc/audit/rules.d/*.rules" + } + $message = "" + foreach($line in $paths){ + $message += "
$line" + } + if($viablePaths.Count -ne $results.Count){ + return @{ + Message = "Not all results are in path /etc/audit/rules.d/ and are .rules files. Non compliant files:
$($message)" + Status = "False" + } + } + return @{ + Message = "Compliant" + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.1.12" + Task = "Ensure successful file system mounts are collected" + Test = { + try{ + $bitVersion = uname -a + if($bitVersion -match "i386"){ + $output = grep mounts /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + $output2 = auditctl -l | grep mounts + $test2 = $output2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" + if($test1 -ne $null -and $test2 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + elseif($bitVersion -match "x86_64"){ + $output = grep mounts /etc/audit/rules.d/*.rules + $test1 = $output -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + $test2 = $output -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + $output2 = auditctl -l | grep mounts + $test3 = $output2 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" + $test4 = $output2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.13" + Task = "Ensure file deletion events by users are collected" + Test = { + try{ + $test1 = grep delete /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep delete + if($test1 -match "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and $test2 -match "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.14" + Task = "Ensure changes to system administration scope (sudoers) is collected" + Test = { + try{ + $test1 = grep scope /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep scope + if($test1 -match "-w /etc/sudoers -p wa -k scope" -and $test1 -match "-w /etc/sudoers.d/ -p wa -k scope" -and $test2 -match "-w /etc/sudoers -p wa -k scope" -and $test2 -match "-w /etc/sudoers.d -p wa -k scope" ){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.15" + Task = "Ensure system administrator command executions (sudo) are collected" + Test = { + try{ + $test1 = grep actions /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep actions + $res1 = "-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions" + $res2 = "-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions" + $res3 = "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F auid>=1000 -F auid!=-1 -F key=actions" + $res4 = "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F auid>=1000 -F auid!=-1 -F key=actions" + if($test1 -match $res1 -and $test1 -match $res2 -and $test2 -match $res3 -and $test2 -match $res4){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.16" + Task = "Ensure kernel module loading and unloading is collected" + Test = { + $test1 = grep modules /etc/audit/rules.d/*.rules + $test2 = auditctl -l | grep modules + $res1 = "-w /sbin/insmod -p x -k modules" + $res2 = "-w /sbin/rmmod -p x -k modules" + $res3 = "-w /sbin/modprobe -p x -k modules" + $res4 = "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + $res5 = "-w /sbin/insmod -p x -k modules" + $res6 = "-w /sbin/rmmod -p x -k modules" + $res7 = "-w /sbin/modprobe -p x -k modules" + $res8 = "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules" + + if($test1 -match $res1 -and $test1 -match $res2 -and $test1 -match $res3 -and $test1 -match $res4 -and $test2 -match $res5 -and $test2 -match $res6 -and $test2 -match $res7 -and $test2 -match $res8){ + return @{ + Message = "Compliant" + Status = "True" + } + } + else{ + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.1.17" + Task = "Ensure the audit configuration is immutable" + Test = { + $test1 = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -l + if($test1 -match "-e 2"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.1" + Task = "Ensure rsyslog is installed" + Test = { + $test1 = dpkg -s rsyslog + if($test1 -match "Status: install ok installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.2" + Task = "Ensure rsyslog Service is enabled" + Test = { + $test1 = systemctl is-enabled rsyslog + if($test1 -match "enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.1.3" + Task = "Ensure logging is configured" + Test = { + $logginTypes = 0 + $fileContent = cat /etc/rsyslog.conf /etc/rsyslog.d/*.conf + if($fileContent -match "^*.emerg\s*:omusrmsg:*") {$logginTypes++} + if($fileContent -match "^auth,authpriv.*\s*/var/log/auth.log") {$logginTypes++} + if($fileContent -match "^mail.*\s*-/var/log/mail") {$logginTypes++} + if($fileContent -match "^mail.info\s*-/var/log/mail.info") {$logginTypes++} + if($fileContent -match "^mail.warning\s*-/var/log/mail.warn") {$logginTypes++} + if($fileContent -match "^mail.err\s*/var/log/mail.err") {$logginTypes++} + if($fileContent -match "^news.crit\s*-/var/log/news/news.crit") {$logginTypes++} + if($fileContent -match "^news.err\s*-/var/log/news/news.err") {$logginTypes++} + if($fileContent -match "^news.notice\s*-/var/log/news/news.notice") {$logginTypes++} + if($fileContent -match "^*.=warning;*.=err\s*-/var/log/warn") {$logginTypes++} + if($fileContent -match "^*.crit\s*/var/log/warn") {$logginTypes++} + if($fileContent -match "^*.*;mail.none;news.none\s*-/var/log/messages") {$logginTypes++} + if($fileContent -match "^local0,local1.*\s*-/var/log/localmessages") {$logginTypes++} + if($fileContent -match "^local2,local3.*\s*-/var/log/localmessages") {$logginTypes++} + if($fileContent -match "^local4,local5.*\s*-/var/log/localmessages") {$logginTypes++} + if($fileContent -match "^local6,local7.*\s*-/var/log/localmessages") {$logginTypes++} + + if($logginTypes -le 5){ + return @{ + Message = "Not enough logging types supported! Currently: " + $logginTypes + Status = "False" + } + } + if($logginTypes -le 12){ + return @{ + Message = "Currently configured: " + $logginTypes + Status = "Warning" + } + } + return @{ + Message = "Compliant. Currently: " + $logginTypes + Status = "True" + } + } +} +[AuditTest] @{ + Id = "4.2.1.4" + Task = "Ensure rsyslog default file permissions configured" + Test = { + $test1 = cat /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep "^\s*\`$FileCreateMode" + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +# [AuditTest] @{ +# Id = "4.2.1.5" +# Task = "Ensure rsyslog is configured to send logs to a remote log host" +# Test = { +# $test1 = grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +# grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf +# if($test1 -match "target"){ +# return @{ +# Message = "Compliant" +# Status = "True" +# } +# } +# return @{ +# Message = "Not-Compliant" +# Status = "False" +# } +# } +# } +[AuditTest] @{ + Id = "4.2.2.1" + Task = "Ensure journald is configured to send logs to rsyslog" + Test = { + $test1 = grep -e ForwardToSyslog /etc/systemd/journald.conf + if($test1 -match "ForwardToSyslog=yes"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.2" + Task = "Ensure journald is configured to compress large log files" + Test = { + $test1 = grep -e Compress /etc/systemd/journald.conf + if($test1 -match "Compress=yes"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.2.3" + Task = "Ensure journald is configured to write logfiles to persistent disk" + Test = { + $test1 = grep -e Storage /etc/systemd/journald.conf + if($test1 -match "Storage=persistent"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure permissions on all logfiles are configured" + Test = { + $fileListAll = find /var/log -type f -ls + $fileListFiltered = find /var/log -type f -ls | grep "\-....\-\-\-\-\-" + if($fileListAll.Count -eq $fileListFiltered.Count){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "$($fileListAll.Count - $fileListFiltered.Count) files grant too many permissions" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "4.3" + Task = "Ensure logrotate is configured" + Test = { + return @{ + Message = "Review /etc/logrotate.conf and /etc/logrotate.d/rsyslog and verify logs are rotated according to site policy." + Status = "None" + } + } +} +[AuditTest] @{ + Id = "4.4" + Task = "Ensure logrotate assigns appropriate permissions" + Test = { + $test1 = grep -Es "^\s*create\s+\S+" /etc/logrotate.conf /etc/logrotate.d/* | grep -E -v "\s(0)?[0-6][04]0\s" + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled and running" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq "enabled" -and $test2 -match "running"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat /etc/crontab + if($test1 -eq "Access: (0600/-rw-------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $test1 = stat /etc/cron.hourly/ + if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $test1 = stat /etc/cron.daily/ + if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $test1 = stat /etc/cron.weekly/ + if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $test1 = stat /etc/cron.monthly/ + if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $test1 = stat /etc/cron.d/ + if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure cron is restricted to authorized users" + Test = { + $test1 = stat /etc/cron.deny + $test1 = $? + $test2 = stat /etc/cron.allow + if($test1 -match "False" -and $test2 -match "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure at is restricted to authorized users" + Test = { + $test1 = stat /etc/at.deny + $test1 = $? + $test2 = stat /etc/at.allow | grep 0640 + if($test1 -match "False" -and $test2 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure sudo is installed" + Test = { + $test1 = dpkg -s sudo + if($test1 -match "Status: install ok installed"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure sudo commands use pty" + Test = { + $test1 = grep -Ei '^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$' /etc/sudoers /etc/sudoers.d/* + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure sudo log file exists" + Test = { + $test1 = grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/* + if($test1 -ne $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.1" + Task = "Ensure permissions on /etc/ssh/sshd_config are configured" + Test = { + try{ + try{ + $test1 = stat /etc/ssh/sshd_config | grep 0600 + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + + if($test1 -eq "Access: (0600/-rw-------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.2" + Task = "Ensure permissions on SSH private host key files are configured" + Test = { + $res = bash -c "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \;" | grep "Access:\s*(0600/-rw-------)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)\s*" + if($res.count -eq 3){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $res = bash -c "find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat {} \;" | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)\s*" + if($res.count -eq 3){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.3.4" + Task = "Ensure SSH access is limited" + Test = { + try{ + $result = bash -c "sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*(allow|deny)(users|groups)\s+\S+'" + if($result -match "allowusers" -or $result -match "allowgroups" -or $result -match "denyusers" -or $result -match "denygroups"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.5" + Task = "Ensure SSH LogLevel is appropriate" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel + try{ + $test2 = grep -is 'loglevel' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)' + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if(($test1 -match "loglevel VERBOSE" -or $test1 -match "loglevel INFO") -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.6" + Task = "Ensure SSH X11 forwarding is disabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding + try{ + $test2 = grep -Eis '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "x11forwarding no" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.7" + Task = "Ensure SSH MaxAuthTries is set to 4 or less" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep maxauthtries | cut -d ' ' -f 2 + try{ + $test2 = grep -Eis '^\s*maxauthtries\s+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -le 4 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.8" + Task = "Ensure SSH IgnoreRhosts is enabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts + try{ + $test2 = grep -Eis '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "ignorerhosts yes" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.10" + Task = "Ensure SSH root login is disabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin + try{ + $test2 = grep -Eis '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "permitrootlogin no" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.11" + Task = "Ensure SSH PermitEmptyPasswords is disabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords + try{ + $test2 = grep -Eis '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "permitemptypasswords no" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.12" + Task = "Ensure SSH PermitUserEnvironment is disabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment + try{ + $test2 = grep -Eis '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "permituserenvironment no" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.13" + Task = "Ensure only strong Ciphers are used" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se)\b' + try{ + $test2 = grep -Eis '^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -eq $null -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.14" + Task = "Ensure only strong MAC algorithms are used" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b' + try{ + $test2 = grep -Eis '^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -eq $null -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.15" + Task = "Ensure only strong Key Exchange algorithms are used" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei'^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b' + try{ + $test2 = grep -Ei '^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b' /etc/ssh/sshd_config + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -eq $null -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.16" + Task = "Ensure SSH Idle Timeout Interval is configured" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval | cut -d ' ' -f 2 + $test2 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax | cut -d ' ' -f 2 + try{ + $test3 = grep -Eis '^\s*clientaliveinterval\s+(0|3[0-9][1-9]|[4-9][0-9][0-9]|[1-9][0-9][0-9][0-9]+|[6-9]m|[1-9][0-9]+m)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + $test4 = grep -Eis '^\s*ClientAliveCountMax\s+(0|[4-9]|[1-9][0-9]+)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if(($test1 -ge 1 -and $test1 -le 300) -and ($test2 -ge 1 -and $test2 -le 3) -and $test3 -eq $null -and $test4 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.17" + Task = "Ensure SSH LoginGraceTime is set to one minute or less" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime | cut -d ' ' -f 2 + try{ + $test2 = grep -Eis '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if(($test1 -ge 1 -and $test1 -le 60) -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.18" + Task = "Ensure SSH warning banner is configured" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep banner + try{ + $test2 = grep -Eis '^\s*Banner\s+"?none\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "banner /etc/issue.net" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.19" + Task = "Ensure SSH PAM is enabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i usepam + try{ + $test2 = grep -Eis '^\s*UsePAM\s+no' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "usepam yes" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.20" + Task = "Ensure SSH AllowTcpForwarding is disabled" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i allowtcpforwarding + try{ + $test2 = grep -Eis '^\s*AllowTcpForwarding\s+yes\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -match "allowtcpforwarding no" -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.21" + Task = "Ensure SSH MaxStartups is configured" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups + try{ + $test2 = grep -Eis '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + $value1 = $test1 | cut -d ':' -f 1 + $value2 = $test1 | cut -d ':' -f 2 + $value3 = $test1 | cut -d ':' -f 3 + if($value1 -ge 10 -and $value2 -ge 30 -and $value3 -ge 60 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.3.22" + Task = "Ensure SSH MaxSessions is limited" + Test = { + try{ + $test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxsessions | cut -d ' ' -f 2 + + try{ + $test2 = grep -Eis '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf + } + catch{ + return @{ + Message = "Path not found!" + Status = "False" + } + } + if($test1 -le 10 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command doesn't exist" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.4.1" + Task = "Ensure password creation requirements are configured" + Test = { + $test1 = grep '^\s*minlen\s*' /etc/security/pwquality.conf | cut -d ' ' -f 3 + $test2 = grep '^\s*minclass\s*' /etc/security/pwquality.conf | cut -d ' ' -f 3 + $test3 = grep -E '^\s*password\s+(requisite|required)\s+pam_pwquality\.so\s+(\S+\s+)*retry=[1-3]\s*(\s+\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password | cut -d '=' -f 2 + if($test1 -ge 14 -and $test2 -eq 4 -and $test3 -le 3){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.2" + Task = "Ensure lockout for failed password attempts is configured" + Test = { + $test1 = grep "pam_tally2" /etc/pam.d/common-auth + $test2 = grep -E "pam_(tally2|deny)\.so" /etc/pam.d/common-account + if($test1 -ne $null -and $test2 -match "pam_deny.so" -and $test2 -match "pam_tally2.so"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.3" + Task = "Ensure password reuse is limited" + Test = { + $test1 = grep -E '^\s*password\s+required\s+pam_pwhistory\.so\s+([^#]+\s+)?remember=([5-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password | cut -d '=' -f 2 + if($test1 -ge 5){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.4.4" + Task = "Ensure password hashing algorithm is SHA-512" + Test = { + $test1 = grep -E '^\s*password\s+(\[success=1\s+default=ignore\]|required)\s+pam_unix\.so\s+([^#]+\s+)?sha512\b' /etc/pam.d/common-password + if($test1 -match "password" -and $test1 -match "success=1" -and $test1 -match "default=ignore" -and $test1 -match "sha512"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.1" + Task = "Ensure minimum days between password changes is configured" + Test = { + $test1 = grep PASS_MIN_DAYS /etc/login.defs | cut -d ' ' -f 2 + $test2 = awk -F : '(/^[^:]+:[^!*]/ && $4 < 1){print $1 " " $4}' /etc/shadow + if($test1 -ge 1 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.2" + Task = "Ensure password expiration is 365 days or less" + Test = { + try{ + $res=grep PASS_MAX_DAYS /etc/login.defs | tail -1 | cut -d ' ' -f 1 + $res=$res.substring($res.Length -3) + + $min=grep PASS_MIN_DAYS /etc/login.defs | tail -1 | cut -d ' ' -f 2 + $min=$min.substring($min.Length -1) + + $test1 = awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow + if($res -le 365 -and $res -gt $min -and $test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "5.5.1.3" + Task = "Ensure password expiration warning days is 7 or more" + Test = { + $test1 = grep PASS_WARN_AGE /etc/login.defs | cut -d ' ' -f 2 + $test2 = bash -c "awk -F: '(/^[^:]+:[^!*]/ && `$6<7){print `$1 " " `$6}' /etc/shadow" + if($test1 -ge 7 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.4" + Task = "Ensure inactive password lock is 30 days or less" + Test = { + $test1 = useradd -D | grep INACTIVE | cut -d '=' -2 + if($test1 -le 30){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.1.5" + Task = "Ensure all users last password change date is in the past" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-5.5.1.5.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.2" + Task = "Ensure system accounts are secured" + Test = { + $test1 = awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd + $test2 = awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}'/etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}' + if($test1 -eq $null -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.5.3" + Task = "Ensure default group for the root account is GID 0" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if($test1 -eq 0){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "5.7" + Task = "Ensure access to the su command is restricted" + Test = { + $test1 = grep pam_wheel.so /etc/pam.d/su + + if($test1 -match "^\s*auth\s+required\s+pam_wheel.so\s+use_uid\s+group="){ + $test2 = $test1 | cut -d '=' -f 2 + $test3 = grep $test2 /etc/group | cut -d ':' -f 4 + if($test3 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.1" + Task = "Audit system file permissions" + Test = { + $test1 = dpkg --verify $(dpkg --get-selections | awk '{print $1}') + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat /etc/passwd + if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat /etc/passwd- + if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.4" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat /etc/group + if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.5" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat /etc/group- | grep 0644 + if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.6" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat /etc/shadow | grep 0640 + if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.7" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat /etc/shadow- | grep 0640 + if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.8" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat /etc/gshadow | grep 0640 + if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.9" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat /etc/gshadow- | grep 0640 + if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.10" + Task = "Ensure no world writable files exist" + Test = { + #$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*') + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.11" + Task = "Ensure no unowned files or directories exist" + Test = { + try{ + $test1 = df --local -P | awk "{if (NR -ne 1) { print `$6 }}" | xargs -I '{}' find '{}' -xdev -nouser + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "6.1.12" + Task = "Ensure no ungrouped files or directories exist" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.1.13" + Task = "Audit SUID executables" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + $message = "" + foreach($line in $test1){ + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "6.1.14" + Task = "Audit SGID executables" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + $message = "" + foreach($line in $test1){ + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "6.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $test1 = awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}'/etc/passwd + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.2" + Task = "Ensure password fields are not empty" + Test = { + $test1 = awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow + if($test1 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.3.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.4" + Task = "Ensure all users' home directories exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.4.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +# [AuditTest] @{ +# Id = "6.2.5" +# Task = "Ensure users own their home directories" +# Test = { +# Write-Error "Test" +# $parentPath = Split-Path -Parent -Path $PSScriptRoot +# $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.5.sh" +# $result=bash $path +# Write-Error "Test" +# if($result -eq $null){ +# return @{ +# Message = "Compliant" +# Status = "True" +# } +# } +# return @{ +# Message = "Not-Compliant" +# Status = "False" +# } +# } +# } +[AuditTest] @{ + Id = "6.2.6" + Task = "Ensure users' home directories permissions are 750 or more restrictive" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.6.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.7" + Task = "Ensure users' dot files are not group or world writable" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.7.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.8" + Task = "Ensure no users have .netrc files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.8.sh" + $result=bash $path + if($result -match "FAILED"){ + return @{ + Message = "Not-Compliant. Permissions need to get updated." + Status = "False" + } + } + if($result -match "WARNING" -and $result -notmatch "FAILED"){ + return @{ + Message = "Some changed should be made." + Status = "Warning" + } + } + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.9" + Task = "Ensure no users have .forward files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.9.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.10" + Task = "Ensure no users have .rhosts files" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.10.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.11" + Task = "Ensure root is the only UID 0 account" + Test = { + $test1 = awk -F: '($3 == 0) { print $1 }' /etc/passwd + if($test1 -match "root"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.12" + Task = "Ensure root PATH Integrity" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.12.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.13" + Task = "Ensure no duplicate UIDs exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.13.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.14" + Task = "Ensure no duplicate GIDs exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.14.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.15" + Task = "Ensure no duplicate user names exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.15.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.16" + Task = "Ensure no duplicate group names exist" + Test = { + $parentPath = Split-Path -Parent -Path $PSScriptRoot + $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.16.sh" + $result=bash $path + if($result -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.17" + Task = "Ensure shadow group is empty" + Test = { + $test1 = awk -F: '($1=="shadow") {print $NF}' /etc/group + $test2 = awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)" '($4==GID) {print $1}' /etc/passwd + if($test1.Length -eq 0 -and $test2 -eq $null){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} \ No newline at end of file diff --git a/ATAPAuditor/AuditGroups/Ubuntu Linux 22.04-CIS-2.0.0.ps1 b/ATAPAuditor/AuditGroups/Ubuntu Linux 22.04-CIS-2.0.0.ps1 new file mode 100644 index 0000000..a150f34 --- /dev/null +++ b/ATAPAuditor/AuditGroups/Ubuntu Linux 22.04-CIS-2.0.0.ps1 @@ -0,0 +1,4109 @@ +. "$RootPath\Helpers\LinuxHelper.ps1" + +$rcFirewallStatus1 = "Using nftables" +$rcFirewallStatus2 = "Using ufw" +$rcFirewallStatus3 = "Using iptables" + +$retCompliant = @{ + Message = $rcCompliant + Status = $rcTrue +} +$retNonCompliant = @{ + Message = $rcNonCompliant + Status = $rcFalse +} +$retCompliantIPv6Disabled = @{ + Message = $rcCompliantIPv6isDisabled + Status = $rcTrue +} +$retNonCompliantManualReviewRequired = @{ + Message = $rcNonCompliantManualReviewRequired + Status = $rcNone +} +$retUsingFW1 = @{ + Message = $rcFirewallStatus1 + Status = $rcNone +} +$retUsingFW2 = @{ + Message = $rcFirewallStatus2 + Status = $rcNone +} +$retUsingFW3 = @{ + Message = $rcFirewallStatus3 + Status = $rcNone +} + +# Firewall evaluation +function GetFirewallStatus { + # 0 - undefined + # 1 - using nftables + # 2 - using ufw + # 3 - using iptables + + $t_UFW = Test-PackageInstalled -PackageName ufw + $t_NFT = Test-PackageInstalled -PackageName nftables + $t_IPT = Test-PackageInstalled -PackageName iptables + $t_UFW_en = systemctl is-enabled ufw 2>/dev/null + if ($t_UFW){ + $t_UFW_inac = ufw status 2>/dev/null | grep -iE "Status: Ina[ck]tive?" + $t_UFW_ac = ufw status 2>/dev/null | grep -iE "Status: A[ck]tive?" + } else { + $t_UFW_ac = $null + $t_UFW_inac = $null + } + $t_NFT_en = systemctl is-enabled nftables.service 2>/dev/null + + # Testing 1 - nftable installed, ufw not or inactive + if ($t_NFT -and ! $t_IPT -and (! $t_UFW -or $t_UFW_inac -ne $null) -and $t_NFT_en -match "enabled"){ + return 1 + } + + # Testing 2 - ufw, iptables installed, nftables not + if ( $t_UFW -and $t_UFW_ac -ne $null -and $t_UFW_en -match "enabled" -and $t_IPT -and ! $t_NFT){ + return 2 + } + + # Testing 3 - only iptables + if (! $t_NFT -and ! $t_UFW -and $t_IPT){ + return 3 + } + + return 0 +} + +$FirewallStatus = GetFirewallStatus + +$parentPath = Split-Path -Parent -Path $PSScriptRoot +$scriptPath = $parentPath + "/Helpers/ShellScripts/Ubuntu22.04_Debian12/" +$commonPath = $parentPath + "/Helpers/ShellScripts/common/" + +[AuditTest] @{ + Id = "1.1.1.1" + Task = "Ensure cramfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.2" + Task = "Ensure freevxfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.3" + Task = "Ensure hfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.4" + Task = "Ensure hfsplus kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.5" + Task = "Ensure jffs2 kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.6" + Task = "Ensure squashfs kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.7" + Task = "Ensure udf kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.1.8" + Task = "Ensure usb-storage kernel module is not available" + Test = { + $script = $commonPath + "1.1.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.1" + Task = "Ensure /tmp is a separate partition" + Test = { + $result = findmnt --kernel /tmp + if($result -match "/tmp"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.1.2" + Task = "Ensure nodev option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.3" + Task = "Ensure nosuid option set on /tmp partition" + Test = { + $script = $commonPath + "1.1.2.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.1.4" + Task = "Ensure noexec option set on /tmp partition" + Test = { + $result = findmnt --kernel /tmp | grep noexec + if($result -match "noexec"){ + return $retCompliant + } + + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "1.1.2.2.1" + Task = "Ensure /dev/shm is a separate partition" + Test = { + $script = $scriptPath + "1.1.2.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + +[AuditTest] @{ + Id = "1.1.2.2.2" + Task = "Ensure nodev option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.3" + Task = "Ensure nosuid option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.2.4" + Task = "Ensure noexec option set on /dev/shm partition" + Test = { + $script = $commonPath + "1.1.2.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.1" + Task = "Ensure separate partition exists for /home" + Test = { + $result = findmnt --kernel /home + if($result -match "/home"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.3.2" + Task = "Ensure nodev option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.3.3" + Task = "Ensure nosuid option set on /home partition" + Test = { + $script = $commonPath + "1.1.2.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.1" + Task = "Ensure separate partition exists for /var" + Test = { + $result = findmnt --kernel /var + if($result -match !$null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.4.2" + Task = "Ensure nodev option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.4.3" + Task = "Ensure nosuid option set on /var partition" + Test = { + $script = $commonPath + "1.1.2.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.1" + Task = "Ensure separate partition exists for /var/tmp" + Test = { + $result = findmnt --kernel /var/tmp + if($result -match "/var/tmp"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.5.2" + Task = "Ensure nodev option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.3" + Task = "Ensure nosuid option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.5.4" + Task = "Ensure noexec option set on /var/tmp partition" + Test = { + $script = $commonPath + "1.1.2.5.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.1" + Task = "Ensure separate partition exists for /var/log" + Test = { + $result = findmnt --kernel /var/log + if($result -match !$null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.6.2" + Task = "Ensure nodev option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.3" + Task = "Ensure nosuid option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.6.4" + Task = "Ensure noexec option set on /var/log partition" + Test = { + $script = $commonPath + "1.1.2.6.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.1" + Task = "Ensure separate partition exists for /var/log/audit" + Test = { + $result = findmnt --kernel /var/log/audit + if($result -match "/var/log/audit"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.1.2.7.2" + Task = "Ensure nodev option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.3" + Task = "Ensure nosuid option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.1.2.7.4" + Task = "Ensure noexec option set on /var/log/audit partition" + Test = { + $script = $commonPath + "1.1.2.7.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.2.1.1" + Task = "Ensure GPG keys are configured" + Test = { + $result = apt-key list + if($result -ne $null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.2.1.2" + Task = "Ensure package manager repositories are configured" + Test = { + $result = apt-cache policy + if($result -ne $null){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.2.2.1" + Task = "Ensure updates, patches, and additional security software are installed" + Test = { + $output = apt -s upgrade + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.1" + Task = "Ensure AppArmor is installed" + Test = { + $result = Test-PackageInstalled -PackageName apparmor 2>/dev/null + if($result){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.3.1.2" + Task = "Ensure AppArmor is enabled in the bootloader configuration" + Test = { + $script = $scriptPath + "1.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.3.1.3" + Task = "Ensure all AppArmor Profiles are in enforce or complain mode" + Test = { + $profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1 + $profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1 + $profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1 + $result = expr $profileMode3 + $profileMode2 + + $unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1 + + if($result -eq $profileMode1 -and $unconfinedProcesses -eq 0){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.3.1.4" + Task = "Ensure all AppArmor Profiles are enforcing" + Test = { + $script = $scriptPath + "1.3.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.4.1" + Task = "Ensure bootloader password is set" + Test = { + $result1 = grep "^set superusers" /boot/grub/grub.cfg + $result2 = grep "^password" /boot/grub/grub.cfg + if($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.4.2" + Task = "Ensure access to bootloader config is configured" + Test = { + $script = $commonPath + "1.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.1" + Task = "Ensure address space layout randomization is enabled" + Test = { + $script = $commonPath + "1.5.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.2" + Task = "Ensure ptrace_scope is restricted" + Test = { + $script = $commonPath + "1.5.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} + + +[AuditTest] @{ + Id = "1.5.3" + Task = "Ensure core dumps are restricted" + Test = { + $script = $scriptPath + "1.5.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.5.4" + Task = "Ensure prelink is not installed" + Test = { + $test = Test-PackageInstalled -PackageName prelink + if(! $test){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "1.5.5" + Task = "Ensure Automatic Error Reporting is not enabled" + Test = { + $result1 = dpkg-query -s apport > /dev/null 2>&1 && grep -Psi -- '^\h*enabled\h*=\h*[^0]\b' /etc/default/apport + $result2 = systemctl is-active apport.service | grep '^active' + if($result1 -eq $null -and $result2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.1" + Task = "Ensure message of the day is configured properly" + Test = { + $script = $scriptPath + "1.6.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.2" + Task = "Ensure local login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue + + if($output1 -eq $null){ + return $retCompliant + } + + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + + if($output1 -ne $null -and $output2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.3" + Task = "Ensure remote login warning banner is configured properly" + Test = { + $output1 = cat /etc/issue.net + + if($output1 -eq $null){ + return $retCompliant + } + + $output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + + if($output1 -ne $null -and $output2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.4" + Task = "Ensure access to /etc/motd is configured" + Test = { + $script = $scriptPath + "1.6.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "1.6.5" + Task = "Ensure access to /etc/issue is configured" + Test = { + $output = stat -c '%#a' /etc/issue | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.6.6" + Task = "Ensure access to /etc/issue.net is configured" + Test = { + $output = stat -c '%#a' /etc/issue.net | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.1" + Task = "Ensure GDM is removed" + Test = { + $test = Test-PackageInstalled -PackageName gdm3 + if(! $test){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.2" + Task = "Ensure GDM login banner is configured" + Test = { + $path = $scriptPath + "1.8.2.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.3" + Task = "Ensure GDM disable-user-list option is enabled" + Test = { + $path = $scriptPath + "1.8.3.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.4" + Task = "Ensure GDM screen locks when the user is idle" + Test = { + $path = $scriptPath + "1.8.4.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.5" + Task = "Ensure GDM screen locks cannot be overridden" + Test = { + $path = $scriptPath + "1.8.5.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.6" + Task = "Ensure GDM automatic mounting of removable media is disabled" + Test = { + $path = $scriptPath + "1.8.6.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.7" + Task = "Ensure GDM disabling automatic mounting of removable media is not overridden" + Test = { + $path = $scriptPath + "1.8.7.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.8" + Task = "Ensure GDM autorun-never is enabled" + Test = { + $path = $scriptPath + "1.8.8.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.9" + Task = "Ensure GDM autorun-never is not overridden" + Test = { + $path = $scriptPath + "1.8.9.sh" + $result = bash $path + if($?){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "1.7.10" + Task = "Ensure XDCMP is not enabled" + Test = { + $script = $scriptPath + "1.7.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.1.1" + Task = "Ensure autofs services are not in use" + Test = { + $test = Test-PackageInstalled -PackageName autofs + if(! $test){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null autofs.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.2" + Task = "Ensure avahi daemon services are not in use" + Test = { + $status = Test-PackageInstalled -PackageName avahi-daemon + if(! $status){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null avahi-daemon.socket + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null avahi-daemon.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.3" + Task = "Ensure dhcp server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName isc-dhcp-server + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server.service + if(! $?){ + $test2 = systemctl is-enabled 2>/dev/null isc-dhcp-server6.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.4" + Task = "Ensure dns server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName bind9 + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null bind9.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.5" + Task = "Ensure dnsmasq server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName dnsmasq + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null dnsmasq.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.6" + Task = "Ensure ftp server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName vsftpd + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null vsftpd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.7" + Task = "Ensure ldap server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName slapd + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null slapd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.8" + Task = "Ensure message access server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName dovecot-imapd + $test2 = Test-PackageInstalled -PackageName dovecot-pop3d + if(! $test1 -and ! $test2){ + return $retCompliant + } + else{ + $test3 = systemctl is-enabled 2>/dev/null dovecot.socket + if(! $?){ + $test4 = systemctl is-enabled 2>/dev/null dovecot.service + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.9" + Task = "Ensure network file system services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName nfs-kernel-server + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null nfs-kernel.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.10" + Task = "Ensure nis server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName ypserv + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null ypserv.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.11" + Task = "Ensure print server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName cups + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null cups.service + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null cups.socket + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.12" + Task = "Ensure rpcbind services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName rpcbind + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null rpcbind.service + if(! $?){ + $test3 = systemctl is-enabled 2>/dev/null rpcbind.socket + if(! $?){ + return $retCompliant + } + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.13" + Task = "Ensure rsync services are not in use" + Test = { + $script = $commonPath + "2.1.13.sh" + bash $script + if ($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.14" + Task = "Ensure samba file server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName samba 2>/dev/null + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null samba.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.15" + Task = "Ensure snmp services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName snmpd + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null snmpd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.16" + Task = "Ensure tftp server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName tftpd-hpa + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null tftpd-hpa.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.17" + Task = "Ensure web proxy server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName squid + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null squid.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.18" + Task = "Ensure web server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName apache2 + $test2 = Test-PackageInstalled -PackageName ginx + if(! $test1 -and ! $test2){ + return $retCompliant + } + else{ + $services = 'apache2.service', 'apache2.socket', 'nginx.service', 'nginx.socket' + $test3 = "disabled" + foreach ($service in $services){ + $test4 = systemctl is-enabled $service 2>/dev/null + if($?){ + $test3 = "enabled" + } + } + if($test3 -match "disabled"){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.19" + Task = "Ensure xinetd services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName xinetd + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null xinetd.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.20" + Task = "Ensure X window server services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName xserver-common + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.21" + Task = "Ensure mail transfer agent is configured for local-only mode" + Test = { + $test1 = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.1.22" + Task = "Ensure only approved services are listening on a network interface" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.2.1" + Task = "Ensure NIS Client is not installed" + Test = { + $test1 = Test-PackageInstalled -PackageName nis + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.2.2" + Task = "Ensure rsh client is not installed" + Test = { + $status = Test-PackageInstalled -PackageName rsh-client + if(! $status){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.3" + Task = "Ensure talk client is not installed" + Test = { + $test1 = Test-PackageInstalled -PackageName talk + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.4" + Task = "Ensure telnet client Server is not installed" + Test = { + $test1 = Test-PackageInstalled -PackageName telnet + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.5" + Task = "Ensure ldap client is not installed" + Test = { + $test1 = Test-PackageInstalled -PackageName lapd-utils + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.2.6" + Task = "Ensure ftp client is not installed" + Test = { + $test1 = Test-PackageInstalled -PackageName ftp + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "2.3.1.1" + Task = "Ensure a single time synchronization daemon is in use" + Test = { + $path = $scriptPath + "2.1.1.1.sh" + $result = bash $path + if($result -match "PASS:"){ + return $retCompliant + } + + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.3.2.1" + Task = "Ensure systemd-timesyncd configured with authorized timeserver" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.3.2.2" + Task = "Ensure systemd-timesyncd is enabled and running" + Test = { + $test1 = systemctl is-enabled systemd-timesyncd.service + $time = timedatectl status + if($test1 -match "enabled" -and $time -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.3.3.1" + Task = "Ensure chrony is configured with authorized timeserver" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "2.3.3.2" + Task = "Ensure chrony is running as user _chrony" + Test = { + $script = $scriptPath + "2.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.3.3.3" + Task = "Ensure chrony is enabled and running" + Test = { + $test1 = $(systemctl is-enabled cron.service 1>/dev/null 2>/dev/null; echo $?) + $test2 = $(systemctl is-active cron.service 1>/dev/null 2>/dev/null; echo $?) + if($test1 -and $test2 ){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.1" + Task = "Ensure cron daemon is enabled and active" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq "enabled" -and $test2 -match "running"){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat -c '%#a' /etc/crontab | grep -q "0600" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.3" + Task = "Ensure permissions on /etc/cron.hourly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.hourly/ | grep -q 0700 + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.4" + Task = "Ensure permissions on /etc/cron.daily are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.daily/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.5" + Task = "Ensure permissions on /etc/cron.weekly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.weekly/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.6" + Task = "Ensure permissions on /etc/cron.monthly are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.monthly/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.7" + Task = "Ensure permissions on /etc/cron.d are configured" + Test = { + $test1 = stat -c '%#a' /etc/cron.d/ | grep -q "0700" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "2.4.1.8" + Task = "Ensure crontab is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "2.4.2.1" + Task = "Ensure at is restricted to authorized users" + Test = { + $script = $commonPath + "2.4.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.1" + Task = "Ensure IPv6 status is identified" + Test = { + $path = $scriptPath + "3.1.1.sh" + $result = bash $path + if($result -match "IPv6 is enabled on the system"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "3.1.2" + Task = "Ensure wireless interfaces are disabled" + Test = { + $script = $commonPath + "3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.1.3" + Task = "Ensure bluetooth services are not in use" + Test = { + $test1 = Test-PackageInstalled -PackageName bluez + if(! $test1){ + return $retCompliant + } + else{ + $test2 = systemctl is-enabled 2>/dev/null bluetooth.service + if(! $?){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "3.2.1" + Task = "Ensure dccp kernel module is not available" + Test = { + $script = $commonPath + "3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.2" + Task = "Ensure tipc kernel module is not available" + Test = { + $script = $commonPath + "3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.3" + Task = "Ensure rds kernel module is not available" + Test = { + $script = $commonPath + "3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.2.4" + Task = "Ensure sctp kernel module is not available" + Test = { + $script = $commonPath + "3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.1" + Task = "Ensure ip forwarding is disabled" + Test = { + $script = $commonPath + "3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.2" + Task = "Ensure packet redirect sending is disabled" + Test = { + $script = $commonPath + "3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.3" + Task = "Ensure bogus icmp responses are ignored" + Test = { + $script = $commonPath + "3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.4" + Task = "Ensure broadcast icmp requests are ignored" + Test = { + $script = $commonPath + "3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.5" + Task = "Ensure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.6" + Task = "Ensure secure icmp redirects are not accepted" + Test = { + $script = $commonPath + "3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.7" + Task = "Ensure reverse path filtering is enabled" + Test = { + $script = $commonPath + "3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.8" + Task = "Ensure source routed packets are not accepted" + Test = { + $script = $commonPath + "3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.9" + Task = "Ensure suspicious packets are logged" + Test = { + $script = $commonPath + "3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.10" + Task = "Ensure tcp syn cookies is enabled" + Test = { + $script = $commonPath + "3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "3.3.11" + Task = "Ensure ipv6 router advertisements are not accepted" + Test = { + $script = $commonPath + "3.3.11.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "4.1.1" + Task = "Ensure ufw is installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName ufw + if($test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.2" + Task = "Ensure iptables-persistent is not installed with ufw" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName iptables-persistent + if(! $test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.3" + Task = "Ensure ufw service is enabled" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = systemctl is-enabled ufw 2>/dev/null + $test2 = systemctl is-active ufw 2>/dev/null + if($test1 -match "enabled" -and $test2 -match "active"){ + $test3 = ufw status | grep -iE "Status: A[ck]tive?" + if($test3 -ne $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.4" + Task = "Ensure ufw loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName ufw + if($test1){ + $test2 = ufw status verbose | grep -iE "Status: A[ck]tive?" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.5" + Task = "Ensure ufw outbound connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName ufw + if($test1){ + $test2 = ufw status numbered | grep -iE "Status: Ina[ck]tive?" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.6" + Task = "Ensure ufw firewall rules exist for all open ports" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $path = $scriptPath + "3.5.1.6.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.1.7" + Task = "Ensure ufw default deny firewall policy" + Test = { + $test1 = Test-PackageInstalled -PackageName ufw + if($test1){ + $test2 = ufw status verbose | grep -iE "allow" + if($test2 -eq $null){ + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.1" + Task = "Ensure nftables is installed" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName nftables + if($test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.2" + Task = "Ensure ufw is uninstalled or disabled with nftables" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName ufw + if(! $test1){ + return $retCompliant + } else { + $test2 = ufw status | grep -iE "Status: Ina[ck]tive?" + if($test2 -ne $null) { + return $retCompliant + } + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "4.2.3" + Task = "Ensure iptables are flushed with nftables" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $script = $scriptPath + "4.2.3.sh" + $result = bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.4" + Task = "Ensure a nftables table exists" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list tables + if($test1 -match "table"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.5" + Task = "Ensure nftables base chains exist" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.6" + Task = "Ensure nftables loopback traffic is configured" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + if($isIPv6Disabled -ne $true){ + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + $test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + if($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"){ + return $retCompliant + } + } + else{ + $test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + if($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop'){ + return $retCompliant + } + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.7" + Task = "Ensure nftables outbound and established connections are configured" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + $test2 = nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + if($test1 -match "ip protocol tcp ct state established accept" -and $test1 -match "p protocol udp ct state established accept" -and $test1 -match "ip protocol icmp ct state established accept" -and $test2 -match "ip protocol tcp ct state established,related,new accep" -and $test2 -match "ip protocol udp ct state established,related,new accept" -and $test2 -match "ip protocol icmp ct state established,related,new accept"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.8" + Task = "Ensure nftables default deny firewall policy" + Test = { + try{ + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = nft list ruleset | grep 'hook input' + $test2 = nft list ruleset | grep 'hook forward' + $test3 = nft list ruleset | grep 'hook output' + if($test1 -match "policy drop" -and $test2 -match "policy drop" -and $test3 -match "policy drop"){ + return $retCompliant + } + return $retNonCompliant + } + catch{ + return @{ + Message = "Command not found!" + Status = "False" + } + } + } +} +[AuditTest] @{ + Id = "4.2.9" + Task = "Ensure nftables service is enabled" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $test1 = systemctl is-enabled nftables + if($test1 -match "enabled"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.2.10" + Task = "Ensure nftables rules are permanent" + Test = { + if ($FirewallStatus -match 2) { + return $retUsingFW1 + } + if ($FirewallStatus -match 3) { + return $retUsingFW3 + } + $path1 = $scriptPath + "3.5.2.10_1.sh" + $path2 = $scriptPath + "3.5.2.10_2.sh" + $path3 = $scriptPath + "3.5.2.10_3.sh" + if($path1 -ne $null -and $path2 -ne $null -and $path3 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.1" + Task = "Ensure iptables packages are installed" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName iptables-persistent + if($test1){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.2" + Task = "Ensure nftables is not installed with iptables" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName nftables + if(! $test1){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "4.3.1.3" + Task = "Ensure ufw is uninstalled or disabled with iptables" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = Test-PackageInstalled -PackageName ufw + if(! $test1){ + return $retCompliant + } else { + $test2 = ufw status | grep -iE "Status: Ina[ck]tive?" + $test3 = systemctl is-enabled ufw + if($test2 -ne $null -and $test3 -match "masked") { + return $retCompliant + } + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.1" + Task = "Ensure iptables default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $output = iptables -L + $test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.2" + Task = "Ensure iptables loopback traffic is configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP" + $test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP" + if($test1 -ne $null -and $test2 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.2.3" + Task = "Ensure iptables outbound and established connections are configured" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $test1 = iptables -L -v -n + if($test1 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +# 3.5.3.2.4 ... + +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "4.3.2.4" + Task = "Ensure iptables firewall rules exist for all open ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.1" + Task = "Ensure ip6tables default deny firewall policy" + Test = { + if ($FirewallStatus -match 1) { + return $retUsingFW1 + } + if ($FirewallStatus -match 2) { + return $retUsingFW3 + } + $output = ip6tables -L + $test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)" + $test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)" + $test21 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)" + $test22 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)" + $test31 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)" + $test32 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)" + + if ($IPv6Status -eq $false) { + return @{ + Message = "IPv6 is disabled" + Status = "True" + } + } + if(($test11 -ne $null -or $test12 -ne $null) -and ($test21 -ne $null -or $test22 -ne $null) -and ($test31 -ne $null -or $test32 -ne $null)){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "4.3.3.2" + Task = "Ensure ip6tables loopback traffic is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.3" + Task = "Ensure ip6tables outbound and established connections are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "4.3.3.4" + Task = "Ensure ip6tables firewall rules exist for all open ports" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "5.1.1" + Task = "Ensure cron daemon is enabled and running" + Test = { + $test1 = systemctl is-enabled cron + $test2 = systemctl status cron | grep 'Active: active (running) ' + if($test1 -eq "enabled" -and $test2 -match "running"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.2" + Task = "Ensure permissions on /etc/crontab are configured" + Test = { + $test1 = stat -c '%#a' /etc/crontab | grep -q "0600" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.3" + Task = "Ensure permissions on SSH public host key files are configured" + Test = { + $script = $commonPath + "5.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.4" + Task = "Ensure sshd access is configured" + Test = { + if (sshd -T | grep -Piq -- "^\h*(allow|deny)(users|groups)\h+\H+") { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.1.5" + Task = "Ensure sshd Banner is configured" + Test = { + if (sshd -T | grep -Piq -- "^\h*banner\h+\H+") { + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.1.6" + Task = "Ensure sshd Ciphers are configured" + Test = { + $script = $scriptPath + "5.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.7" + Task = "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" + Test = { + $script = $scriptPath + "5.1.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.8" + Task = "Ensure sshd DisableForwarding is enabled" + Test = { + $script = $scriptPath + "5.1.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.9" + Task = "Ensure sshd GSSAPIAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.10" + Task = "Ensure sshd HostbasedAuthentication is disabled" + Test = { + $script = $scriptPath + "5.1.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.11" + Task = "Ensure sshd IgnoreRhosts is enabled" + Test = { + $script = $scriptPath + "5.1.11.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.12" + Task = "Ensure sshd KexAlgorithms is configured" + Test = { + $script = $scriptPath + "5.1.12.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.13" + Task = "Ensure sshd LoginGraceTime is configured" + Test = { + $script = $scriptPath + "5.1.13.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.14" + Task = "Ensure sshd LogLevel is configured" + Test = { + $script = $scriptPath + "5.1.14.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.15" + Task = "Ensure sshd MACs are configured" + Test = { + $script = $scriptPath + "5.1.15.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.16" + Task = "Ensure sshd MaxAuthTries is configured" + Test = { + $script = $commonPath + "5.1.16.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.17" + Task = "Ensure sshd MaxSessions is configured" + Test = { + $script = $scriptPath + "5.1.17.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.18" + Task = "Ensure sshd MaxStartups is configured" + Test = { + $script = $scriptPath + "5.1.18.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.19" + Task = "Ensure sshd PermitEmptyPasswords is disabled" + Test = { + $script = $commonPath + "5.1.19.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.20" + Task = "Ensure sshd PermitRootLogin is disabled" + Test = { + $script = $commonPath + "5.1.20.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.21" + Task = "Ensure sshd PermitUserEnvironment is disabled" + Test = { + $script = $commonPath + "5.1.21.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.1.22" + Task = "Ensure sshd UsePAM is enabled" + Test = { + $script = $commonPath + "5.1.22.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.1" + Task = "Ensure sudo is installed" + Test = { + $test1 = Test-PackageInstalled -PackageName sudo + if($test1){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.2.2" + Task = "Ensure sudo commands use pty" + Test = { + $script = $commonPath + "5.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.3" + Task = "Ensure sudo log file exists" + Test = { + $script = $commonPath + "5.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.4" + Task = "Ensure users must provide password for privilege escalation" + Test = { + $script = $scriptPath + "5.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.5" + Task = "Ensure re-authentication for privilege escalation is not disabled globally" + Test = { + $script = $scriptPath + "5.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.6" + Task = "Ensure sudo authentication timeout is configured correctly" + Test = { + $script = $commonPath + "5.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.2.7" + Task = "Ensure access to the su command is restricted" + Test = { + $script = $scriptPath + "5.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.1.1" + Task = "Ensure latest version of pam is installed" + Test = { + $test1 = Test-PackageInstalled -PackageName libpam-runtime + if($test1){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.1.2" + Task = "Ensure libpam-modules is installed" + Test = { + $test1 = Test-PackageInstalled -PackageName libpam-modules + if($test1){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.1.3" + Task = "Ensure libpam-pwquality is installed" + Test = { + $test1 = Test-PackageInstalled -PackageName libpam-pwquality + if($test1){ + return $retNonCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "5.3.2.1" + Task = "Ensure pam_unix module is enabled" + Test = { + $script = $scriptPath + "5.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.2" + Task = "Ensure pam_faillock module is enabled" + Test = { + $script = $scriptPath + "5.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.3" + Task = "Ensure pam_pwquality module is enabled" + Test = { + $script = $scriptPath + "5.3.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.2.4" + Task = "Ensure pam_pwhistory module is enabled" + Test = { + $script = $scriptPath + "5.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.1" + Task = "Ensure password failed attempts lockout is configured" + Test = { + $script = $commonPath + "5.3.3.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.2" + Task = "Ensure password unlock time is configured" + Test = { + $script = $commonPath + "5.3.3.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.1.3" + Task = "Ensure password failed attempts lockout includes root account" + Test = { + $script = $commonPath + "5.3.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.1" + Task = "Ensure password number of changed characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.2" + Task = "Ensure minimum password length is configured" + Test = { + $script = $commonPath + "5.3.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.3" + Task = "Ensure password complexity is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "5.3.3.2.4" + Task = "Ensure password same consecutive characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.5" + Task = "Ensure password maximum sequential characters is configured" + Test = { + $script = $commonPath + "5.3.3.2.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.6" + Task = "Ensure password dictionary check is enabled" + Test = { + $script = $commonPath + "5.3.3.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.7" + Task = "Ensure password quality checking is enforced" + Test = { + $script = $scriptPath + "5.3.3.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.2.8" + Task = "Ensure password quality is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.2.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.1" + Task = "Ensure password history remember is configured" + Test = { + $script = $scriptPath + "5.3.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.2" + Task = "Ensure password history is enforced for the root user" + Test = { + $script = $scriptPath + "5.3.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.3.3" + Task = "Ensure pam_pwhistory includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.1" + Task = "Ensure pam_unix does not include nullok" + Test = { + $script = $commonPath + "5.3.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.2" + Task = "Ensure pam_unix does not include remember" + Test = { + $script = $scriptPath + "5.3.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.3" + Task = "Ensure pam_unix includes a strong password hashing algorithm" + Test = { + $script = $scriptPath + "5.3.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.3.3.4.4" + Task = "Ensure pam_unix includes use_authtok" + Test = { + $script = $commonPath + "5.3.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.1" + Task = "Ensure password expiration is configured" + Test = { + $script = $commonPath + "5.4.1.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.2" + Task = "Ensure minimum password age is configured" + Test = { + $script = $commonPath + "5.4.1.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.3" + Task = "Ensure password expiration warning days is configured" + Test = { + $script = $commonPath + "5.4.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.4" + Task = "Ensure strong password hashing algorithm is configured" + Test = { + $script = $commonPath + "5.4.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.5" + Task = "Ensure inactive password lock is configured" + Test = { + $script = $commonPath + "5.4.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.1.6" + Task = "Ensure all users last password change date is in the past" + Test = { + $path = $scriptPath + "5.5.1.5.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.1" + Task = "Ensure root is the only UID 0 account" + Test = { + $test1 = awk -F: '($3 == 0) { print $1 }' /etc/passwd + if($test1 -match "root"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.2" + Task = "Ensure root is the only GID 0 account" + Test = { + $test1 = grep "^root:" /etc/passwd | cut -f4 -d ':' + if($test1 -eq 0){ + return $retCompliant + } + return $retNonCompliant + } + } + [AuditTest] @{ + Id = "5.4.2.3" + Task = "Ensure group root is the only GID 0 group" + Test = { + $script = $commonPath + "5.4.2.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.4" + Task = "Ensure root password is set" + Test = { + $script = $scriptPath + "5.4.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.5" + Task = "Ensure root PATH Integrity" + Test = { + $path = $scriptPath + "6.2.9.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.2.6" + Task = "Ensure root user umask is configured" + Test = { + $script = $commonPath + "5.4.2.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.7" + Task = "Ensure system accounts do not have a valid login shell" + Test = { + $script = $commonPath + "5.4.2.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.2.8" + Task = "Ensure accounts without a valid login shell are locked" + Test = { + $script = $commonPath + "5.4.2.8.sh" + bash $script + if ($?) { + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "5.4.3.1" + Task = "Ensure nologin is not listed in /etc/shells" + Test = { + $script = $commonPath + "5.4.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.2" + Task = "Ensure default user shell timeout is configured" + Test = { + $script = $commonPath + "5.4.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "5.4.3.3" + Task = "Ensure default user umask is configured" + Test = { + $script = $commonPath + "5.4.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.1.3" + Task = "Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + Test = { + $script = $commonPath + "6.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.1" + Task = "Ensure journald service is enabled and active" + Test = { + $test1 = systemctl is-enabled rsyslog + if($test1 -match "enabled"){ + return @{ + Message = "Compliant" + Status = "True" + } + } + return @{ + Message = "Not-Compliant" + Status = "False" + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.2" + Task = "Ensure journald log file access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.1.3" + Task = "Ensure journald log file rotation is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.1.4" + Task = "Ensure journald ForwardToSyslog is disabled" + Test = { + $script = $scriptPath + "6.2.1.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.5" + Task = "Ensure journald Storage is configured" + Test = { + $script = $scriptPath + "6.2.1.1.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.1.6" + Task = "Ensure journald Compress is configured" + Test = { + $script = $scriptPath + "6.2.1.1.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.1.2.1" + Task = "Ensure systemd-journal-remote is installed" + Test = { + $test1 = Test-PackageInstalled -PackageName systemd-journal-remote + if($test1){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ + Id = "6.2.1.2.2" + Task = "Ensure systemd-journal-remote authentication is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ + Id = "6.2.1.2.3" + Task = "Ensure systemd-journal-upload is enabled and active" + Test = { + $test1 = systemctl is-enabled systemd-journal-upload.service + $test2 = systemctl is-active systemd-journal-upload.service + if($test1 -eq "enabled" -and $test2 -match "active"){ + return $retCompliant + } + return $retCompliant + } +} +[AuditTest] @{ + Id = "6.2.1.2.4" + Task = "Ensure systemd-journal-remote service is not in use" + Test = { + $script = $scriptPath + "6.2.1.2.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.2.2.1" + Task = "Ensure access to all logfiles has been configured" + Test = { + $fileListAll = find /var/log -type f -ls + $fileListFiltered = find /var/log -type f -ls | grep "\-....\-\-\-\-\-" + if($fileListAll.Count -eq $fileListFiltered.Count){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.1" + Task = "Ensure auditd packages are installed" + Test = { + $test1 = Test-PackageInstalled -PackageName auditd + $test2 = Test-PackageInstalled -PackageName audispd-plugins + if($test1 -and $test2){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.2" + Task = "Ensure auditd service is enabled and active" + Test = { + $test1 = systemctl is-enabled auditd + if($test1 -match "enabled"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.1.3" + Task = "Ensure auditing for processes that start prior to auditd is enabled" + Test = { + $script = $scriptPath + "6.3.1.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.1.4" + Task = "Ensure audit_backlog_limit is sufficient" + Test = { + $script = $scriptPath + "6.3.1.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.1" + Task = "Ensure audit log storage size is configured" + Test = { + $script = $commonPath + "6.3.2.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.2" + Task = "Ensure audit logs are not automatically deleted" + Test = { + $script = $commonPath + "6.3.2.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.2.3" + Task = "Ensure system is disabled when audit logs are full" + Test = { + $test1 = grep -Pi -- '^\h*disk_full_action\h*=\h*(halt|single)\b' /etc/audit/auditd.conf + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.2.4" + Task = "Ensure system warns when audit logs are low on space" + Test = { + $test1 = grep -Pi -- '^\h*space_left_action\h*=\h*\w+\b' /etc/audit/auditd.conf | awk '{print $3}' + if($test1 -match "^(email|exec|single|halt)$"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.1" + Task = "Ensure changes to system administration scope is collected" + Test = { + $script = $commonPath + "6.3.3.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.2" + Task = "Ensure actions as another user are always logged" + Test = { + $script = $commonPath + "6.3.3.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.3" + Task = "Ensure events that modify the sudo log file are collected" + Test = { + $script = $commonPath + "6.3.3.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.4" + Task = "Ensure events that modify date and time information are collected" + Test = { + $script = $commonPath + "6.3.3.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.5" + Task = "Ensure events that modify the system's network environment are collected" + Test = { + $script = $commonPath + "6.3.3.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.6" + Task = "Ensure use of privileged commands are collected" + Test = { + $script = $commonPath + "6.3.3.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.7" + Task = "Ensure unsuccessful file access attempts are collected" + Test = { + $script = $commonPath + "6.3.3.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.8" + Task = "Ensure events that modify user/group information are collected" + Test = { + $script = $commonPath + "6.3.3.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.9" + Task = "Ensure discretionary access control permission modification events are collected" + Test = { + $script = $commonPath + "6.3.3.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.10" + Task = "Ensure successful file system mounts are collected" + Test = { + $script = $commonPath + "6.3.3.10.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.11" + Task = "Ensure session initiation information is collected" + Test = { + $path1 = $scriptPath + "4.1.3.11_1.sh" + $result11 = bash $path1 | grep "\-w /var/run/utmp -p wa -k session" + $result12 = bash $path1 | grep "\-w /var/log/wtmp -p wa -k session" + $result13 = bash $path1 | grep "\-w /var/log/btmp -p wa -k session" + $path2 = $scriptPath + "4.1.3.11_2.sh" + $result21 = bash $path2 | grep "\-w /var/run/utmp -p wa -k session" + $result22 = bash $path2 | grep "\-w /var/log/wtmp -p wa -k session" + $result23 = bash $path2 | grep "\-w /var/log/btmp -p wa -k session" + if($result11 -ne $null -and $result12 -ne $null -and $result13 -ne $null -and $result21 -ne $null -and $result22 -ne $null -and $result23 -ne $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.12" + Task = "Ensure login and logout events are collected" + Test = { + $script = $commonPath + "6.3.3.12.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.13" + Task = "Ensure file deletion events by users are collected" + Test = { + $script = $commonPath + "6.3.3.13.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.14" + Task = "Ensure events that modify the system's Mandatory Access Controls are collected" + Test = { + $script = $commonPath + "6.3.3.14.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.15" + Task = "Ensure successful and unsuccessful attempts to use the chcon command are recorded" + Test = { + $script = $commonPath + "6.3.3.15.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.16" + Task = "Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.16.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.17" + Task = "Ensure successful and unsuccessful attempts to use the chacl command are recorded" + Test = { + $script = $commonPath + "6.3.3.17.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.18" + Task = "Ensure successful and unsuccessful attempts to use the usermod command are recorded" + Test = { + $script = $commonPath + "6.3.3.18.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.19" + Task = "Ensure kernel module loading unloading and modification is collected" + Test = { + $script = $commonPath + "6.3.3.19.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.3.20" + Task = "Ensure the audit configuration is immutable" + Test = { + $test1 = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -l + if($test1 -match "-e 2"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.3.21" + Task = "Ensure the running and on disk configuration is the same" + Test = { + $test1 = augenrules --check + if($test1 -match "/usr/sbin/augenrules: No change"){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "6.3.4.1" + Task = "Ensure audit log files mode is configured" + Test = { + $script = $scriptPath + "6.3.4.1.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.2" + Task = "Ensure audit log files owner is configured" + Test = { + $script = $scriptPath + "6.3.4.2.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.3" + Task = "Ensure audit log files group owner is configured" + Test = { + $script = $scriptPath + "6.3.4.3.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.4" + Task = "Ensure the audit log file directory mode is configured" + Test = { + $script = $scriptPath + "6.3.4.4.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.5" + Task = "Ensure audit configuration files mode is configured" + Test = { + $script = $commonPath + "6.3.4.5.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.6" + Task = "Ensure audit configuration files owner is configured" + Test = { + $script = $commonPath + "6.3.4.6.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.7" + Task = "Ensure audit configuration files group owner is configured" + Test = { + $script = $commonPath + "6.3.4.7.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.8" + Task = "Ensure audit tools mode is configured" + Test = { + $script = $commonPath + "6.3.4.8.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.9" + Task = "Ensure audit tools owner is configured" + Test = { + $script = $commonPath + "6.3.4.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "6.3.4.10" + Task = "Ensure audit tools group owner is configured" + Test = { + $test1 = stat -Lc '%G' /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | awk '$1 != "root" {print}' + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.1" + Task = "Ensure permissions on /etc/passwd are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.2" + Task = "Ensure permissions on /etc/passwd- are configured" + Test = { + $test1 = stat -c '%#a' /etc/passwd- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.3" + Task = "Ensure permissions on /etc/group are configured" + Test = { + $test1 = stat -c '%#a' /etc/group | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.4" + Task = "Ensure permissions on /etc/group- are configured" + Test = { + $test1 = stat -c '%#a' /etc/group- | grep -q "0644" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.5" + Task = "Ensure permissions on /etc/shadow are configured" + Test = { + $test1 = stat -c '%#a' /etc/shadow | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.6" + Task = "Ensure permissions on /etc/shadow- are configured" + Test = { + $test1 = stat -c '%#a' /etc/shadow- | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.7" + Task = "Ensure permissions on /etc/gshadow are configured" + Test = { + $test1 = stat -c '%#a' /etc/gshadow | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.8" + Task = "Ensure permissions on /etc/gshadow- are configured" + Test = { + $test1 = stat -c '%#a' /etc/gshadow- | grep -q "0640" + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.9" + Task = "Ensure permissions on /etc/shells are configured" + Test = { + $script = $commonPath + "7.1.9.sh" + bash $script + if ($?) { + return $retCompliant + } else { + return $retNonCompliant + } + } +} +[AuditTest] @{ + Id = "7.1.10" + Task = "Ensure permissions on /etc/security/opasswd are configured" + Test = { + $script = $commonPath + "7.1.10.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.11" + Task = "Ensure world writable files and directories are secured" + Test = { + #$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*') + #$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + $script = $commonPath + "7.1.11.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.12" + Task = "Ensure no files or directories without an owner and a group exist" + Test = { + $script = $commonPath + "7.1.12.sh" + $result = bash $script + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.1.13" + Task = "Ensure SUID and SGID files are reviewed" + Test = { + $test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + $message = "" + foreach($line in $test1){ + $message += "
$line" + } + return @{ + Message = "Please review following list of files: $($message)" + Status = "None" + } + } +} +[AuditTest] @{ + Id = "7.2.1" + Task = "Ensure accounts in /etc/passwd use shadowed passwords" + Test = { + $test1 = awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}'/etc/passwd + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.2" + Task = "Ensure /etc/shadow password fields are not empty" + Test = { + $test1 = awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow + if($test1 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.3" + Task = "Ensure all groups in /etc/passwd exist in /etc/group" + Test = { + $path = $scriptPath + "6.2.3.sh" + $result = bash $path + if($?){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.4" + Task = "Ensure shadow group is empty" + Test = { + $test1 = awk -F: '($1=="shadow") {print $NF}' /etc/group + $test2 = awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)" '($4==GID) {print $1}' /etc/passwd + if($test1.Length -eq 0 -and $test2 -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.5" + Task = "Ensure no duplicate UIDs exist" + Test = { + $path = $scriptPath + "6.2.5.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.6" + Task = "Ensure no duplicate GIDs exist" + Test = { + $path = $scriptPath + "6.2.6.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.7" + Task = "Ensure no duplicate user names exist" + Test = { + $path = $scriptPath + "6.2.7.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} +[AuditTest] @{ + Id = "7.2.8" + Task = "Ensure no duplicate group names exist" + Test = { + $path = $scriptPath + "6.2.8.sh" + $result = bash $path + if($result -eq $null){ + return $retCompliant + } + return $retNonCompliant + } +} + +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "7.2.9" + Task = "Ensure local interactive user home directories are configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} +[AuditTest] @{ # in CIS it's automated, but in Excelsheet it's manual + Id = "7.2.10" + Task = "Ensure local interactive user dot files access is configured" + Test = { + return $retNonCompliantManualReviewRequired + } +} diff --git a/ATAPAuditor/Helpers/AuditGroupFunctions.ps1 b/ATAPAuditor/Helpers/AuditGroupFunctions.ps1 new file mode 100644 index 0000000..c01eef9 --- /dev/null +++ b/ATAPAuditor/Helpers/AuditGroupFunctions.ps1 @@ -0,0 +1,543 @@ +# Begin Helper for version control +function isWindows8OrNewer { + return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 6, 2)) +} +function isWindows81OrNewer { + return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 6, 3)) +} +function isWindows10OrNewer { + return ([Environment]::OSVersion.Version -ge (New-Object 'Version' 10, 0)) +} +function win7NoTPMChipDetected { + return (Get-CimInstance -ClassName Win32_Tpm -Namespace root\cimv2\security\microsofttpm | Select-Object -ExpandProperty IsActivated_InitialValue) -eq $null +} + +$sbdIndex = 1 +function IncrementSecurityBaseDataCounter { + return $sbdIndex++ +} + + +function hasTPM { + try { + $obj = (Get-Tpm).TpmPresent + } + catch { + return $null + } + return $obj +} +# End Helper for version control +function isWindows10Enterprise { + $os = Get-ComputerInfo OsName + if ($os -match "Windows 10 Enterprise" -or $os -match "Windows 11 Enterprise") { + return $true + } + return $false +} + +#Helper function for 'Test-ASRRules' +Function Test-RegistryValue ($regkey, $name) { + if (Get-ItemProperty -Path $regkey -Name $name -ErrorAction Ignore) { + $true + } + else { + $false + } +} + +#This function is needed in AuditGroups, which check both paths of ASR-Rules. +function Test-ASRRules { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $true)] + [String] $Path, + [Parameter(Mandatory = $true)] + [String] $Value + ) + + process { + try { + if (Test-Path -Path $Path) { + return Test-RegistryValue $Path $Value + } + else { + return $false + } + } + catch { + + } + } + +} + +function Test-MultiplePaths { + [CmdletBinding()] + [OutputType([Object])] + param ( + [Parameter(Mandatory = $True, ValueFromPipeline)] + [String] + $Path, + [Parameter(Mandatory = $True)] + [String] + $Key, + [Parameter(Mandatory = $True)] + [Object] + $ExpectedValue, + [PSCustomObject] + $Result = @{ + Message = "Registry value not found." + Status = "False" + } + ) + PROCESS { + $regValue = Get-ItemProperty -ErrorAction SilentlyContinue ` + -Path $Path ` + -Name $Key ` + | Select-Object -ExpandProperty "$($Key)" + # if regValue == expectedValue + if (($regValue -eq $ExpectedValue)) { + $Result = @{ + Message = "Compliant" + Status = "True" + } + } + # if regValue isnot empty AND regValue isnot expectedValue AND result is not True (yet) + # This result is ranked #2 below "Compliant" and above "Registry value not found" + if (($null -ne $regValue) -and ($regValue -ne $ExpectedValue) -and ($Result.Status -ne "True")) { + $Result = @{ + Message = "Registry value is '$regValue'. Expected: $ExpectedValue" + Status = "False" + } + } + } + END { + return $Result + } +} + +#Returns Hyper-V status +function CheckHyperVStatus { + return (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State +} + +function CheckWindefRunning { + # for systems, won't work if server + try { + $defStatus = (Get-MpComputerStatus -ErrorAction Ignore | Select-Object AMRunningMode) + if ($defStatus.AMRunningMode -eq "Normal") { + return $true + } + } + catch { + <#Do this if a terminating exception happens#> + } + + # for standalone systems, won't work if server + try { + $defStatus = (Get-MpComputerStatus -ErrorAction Ignore) + if ($defStatus.AMServiceEnabled -eq $true -and $defStatus.AntispywareEnabled -eq $true -and $defStatus.AntivirusEnabled -eq $true -and $defStatus.NISEnabled -eq $true -and $defStatus.RealTimeProtectionEnabled -eq $true) { + return $true + } + } + catch { + <#Do this if a terminating exception happens#> + } + + # for servers, won't work if standalone system + try { + if ((Get-WindowsFeature -Name Windows-Defender -ErrorAction Ignore).installed) { + if ((Get-Service -Name windefend -ErrorAction Ignore).Status -eq "Running") { + return $true + } + } + } + catch { + <#Do this if a terminating exception happens#> + } + + return $false +} + +function CheckForActiveAV { + $result = $false + $av = Get-AntiVirusStatus + foreach ($a in $av) { + if (($a.'Definition Status') -eq "Enabled") { + $result = $true; + } + } + return $result +} + +# only works for desktop workstations, not servers (except Windows XP and older) +function Get-AntiVirusStatus { + try { + $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ComputerName $env:computername -ErrorAction Stop + } + catch [System.Management.ManagementException] { + <#Do this if a terminating exception happens#> + } + + $result = @() + foreach ($AntiVirusProduct in $AntiVirusProducts) { + + $hex = '0x{0:x}' -f $AntiVirusProduct.productState + $avstatus = $hex.Substring(3, 2) + $defstatus = "Unknown" + if (($avstatus -eq "00") -or ($avstatus -eq "01")) { + $defstatus = "Disabled" + } + if (($avstatus -eq "10") -or ($avstatus -eq "11")) { + $defstatus = "Enabled" + } + + $avupdated = $hex.Substring(5, 2) + $avupdatestatus = "Unknown" + if ($avupdated -eq ("10")) { + $avupdatestatus = "Not Up-to-date" + } + if ($avupdated -eq ("00")) { + $avupdatestatus = "Up-to-date" + } + + # hashtable for av status + $ht = @{} + $ht.Name = $AntiVirusProduct.displayName + $ht.'Definition Status' = $defstatus + $ht.'Update Status' = $avupdatestatus + + # add new hashtable to result + $result += New-Object -TypeName PSObject -Property $ht + } + return $result +} + +function getListOfWeakCipherSuites { + $listOfWeakCipherSuites = @( + "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_DSS_WITH_AES_128_CBC_SHA", + "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", + "TLS_DH_DSS_WITH_AES_256_CBC_SHA", + "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", + "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256", + "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256", + "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384", + "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384", + "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DH_DSS_WITH_SEED_CBC_SHA", + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384", + "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_SEED_CBC_SHA", + "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + "TLS_DHE_PSK_WITH_AES_128_CCM", + "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", + "TLS_DHE_PSK_WITH_AES_256_CCM", + "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", + "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256", + "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256", + "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384", + "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384", + "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CCM", + "TLS_DHE_RSA_WITH_AES_128_CCM_8", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CCM", + "TLS_DHE_RSA_WITH_AES_256_CCM_8", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_SEED_CBC_SHA", + "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_RSA_WITH_AES_128_CBC_SHA", + "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DH_RSA_WITH_AES_256_CBC_SHA", + "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DH_RSA_WITH_SEED_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256", + "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", + "TLS_KRB5_WITH_IDEA_CBC_SHA", + "TLS_PSK_DHE_WITH_AES_128_CCM_8", + "TLS_PSK_DHE_WITH_AES_256_CCM_8", + "TLS_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_PSK_WITH_AES_128_CBC_SHA", + "TLS_PSK_WITH_AES_128_CBC_SHA256", + "TLS_PSK_WITH_AES_128_CCM", + "TLS_PSK_WITH_AES_128_CCM_8", + "TLS_PSK_WITH_AES_128_GCM_SHA256", + "TLS_PSK_WITH_AES_256_CBC_SHA", + "TLS_PSK_WITH_AES_256_CBC_SHA384", + "TLS_PSK_WITH_AES_256_CCM", + "TLS_PSK_WITH_AES_256_CCM_8", + "TLS_PSK_WITH_AES_256_GCM_SHA384", + "TLS_PSK_WITH_ARIA_128_CBC_SHA256", + "TLS_PSK_WITH_ARIA_128_GCM_SHA256", + "TLS_PSK_WITH_ARIA_256_CBC_SHA384", + "TLS_PSK_WITH_ARIA_256_GCM_SHA384", + "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", + "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", + "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", + "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", + "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256", + "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256", + "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384", + "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384", + "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", + "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CCM", + "TLS_RSA_WITH_AES_128_CCM_8", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CCM", + "TLS_RSA_WITH_AES_256_CCM_8", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_ARIA_128_CBC_SHA256", + "TLS_RSA_WITH_ARIA_128_GCM_SHA256", + "TLS_RSA_WITH_ARIA_256_CBC_SHA384", + "TLS_RSA_WITH_ARIA_256_GCM_SHA384", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_RSA_WITH_IDEA_CBC_SHA", + "TLS_RSA_WITH_SEED_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", + "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", + "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", + "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" + ) + return $listOfWeakCipherSuites +} + +function getListOfInsecureCipherSuites { + $listOfInsecureCipherSuites = @( + "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5", + "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256", + "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256", + "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384", + "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", + "TLS_DH_anon_WITH_DES_CBC_SHA", + "TLS_DH_anon_WITH_RC4_128_MD5", + "TLS_DH_anon_WITH_SEED_CBC_SHA", + "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_DSS_WITH_DES_CBC_SHA", + "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DHE_DSS_WITH_DES_CBC_SHA", + "TLS_DHE_PSK_WITH_NULL_SHA", + "TLS_DHE_PSK_WITH_NULL_SHA256", + "TLS_DHE_PSK_WITH_NULL_SHA384", + "TLS_DHE_PSK_WITH_RC4_128_SHA", + "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DHE_RSA_WITH_DES_CBC_SHA", + "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_DH_RSA_WITH_DES_CBC_SHA", + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + "TLS_ECDH_anon_WITH_NULL_SHA", + "TLS_ECDH_anon_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_NULL_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDHE_PSK_WITH_NULL_SHA", + "TLS_ECDHE_PSK_WITH_NULL_SHA256", + "TLS_ECDHE_PSK_WITH_NULL_SHA384", + "TLS_ECDHE_PSK_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_NULL_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_NULL_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT", + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC", + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L", + "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S", + "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC", + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L", + "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S", + "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", + "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", + "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", + "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", + "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", + "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", + "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", + "TLS_KRB5_WITH_DES_CBC_MD5", + "TLS_KRB5_WITH_DES_CBC_SHA", + "TLS_KRB5_WITH_IDEA_CBC_MD5", + "TLS_KRB5_WITH_RC4_128_MD5", + "TLS_KRB5_WITH_RC4_128_SHA", + "TLS_NULL_WITH_NULL_NULL", + "TLS_PSK_WITH_NULL_SHA", + "TLS_PSK_WITH_NULL_SHA256", + "TLS_PSK_WITH_NULL_SHA384", + "TLS_PSK_WITH_RC4_128_SHA", + "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", + "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", + "TLS_RSA_EXPORT_WITH_RC4_40_MD5", + "TLS_RSA_PSK_WITH_NULL_SHA", + "TLS_RSA_PSK_WITH_NULL_SHA256", + "TLS_RSA_PSK_WITH_NULL_SHA384", + "TLS_RSA_PSK_WITH_RC4_128_SHA", + "TLS_RSA_WITH_DES_CBC_SHA", + "TLS_RSA_WITH_NULL_MD5", + "TLS_RSA_WITH_NULL_SHA", + "TLS_RSA_WITH_NULL_SHA256", + "TLS_RSA_WITH_RC4_128_MD5", + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_SHA256_SHA256", + "TLS_SHA384_SHA384", + "TLS_SM4_CCM_SM3", + "TLS_SM4_GCM_SM3" + ) + return $listOfInsecureCipherSuites +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/Firewall.ps1 b/ATAPAuditor/Helpers/Firewall.ps1 new file mode 100644 index 0000000..ac89d47 --- /dev/null +++ b/ATAPAuditor/Helpers/Firewall.ps1 @@ -0,0 +1,83 @@ +function Test-FirewallPaths { + [CmdletBinding()] + [OutputType([Object])] + param ( + [Parameter(Mandatory = $True, ValueFromPipeline)] + [String] + $Path, + [Parameter(Mandatory = $True)] + [String] + $Key, + [Parameter(Mandatory = $True)] + [Object] + $ExpectedValue, + [Parameter(Mandatory = $True)] + [String] + $ProfileType, + [PSCustomObject] + $Result = @{ + Message = "Registry value not found." + Status = "False" + } + ) + BEGIN { + $FirewallProfiles = Get-NetFirewallProfile -ErrorAction SilentlyContinue + } + PROCESS { + $regValue = Get-ItemProperty -ErrorAction SilentlyContinue ` + -Path $Path ` + -Name $Key ` + | Select-Object -ExpandProperty "$($Key)" + # if regValue == expectedValue OR if the LogFilePath ends with .log + if (($regValue -eq $ExpectedValue) -or (($Key -eq "LogFilePath") -and ($regValue -match "[a-z]*.log"))) { + $Result = @{ + Message = "Compliant" + Status = "True" + } + } + # if regValue isnot empty AND regValue isnot expectedValue AND result is not True (yet) + # This result is ranked #2 below "Compliant" and above "Registry value not found" + if (($null -ne $regValue) -and ($regValue -ne $ExpectedValue) -and ($Result.Status -ne "True")) { + $Result = @{ + Message = "Registry value is '$regValue'. Expected: $ExpectedValue" + Status = "False" + } + } + } + END { + $FirewallProfile = $FirewallProfiles | Where-Object {$_.Name -eq $ProfileType} + $FirewallProfileValue = $FirewallProfile.$Key + # check whether value is a number + if ($FirewallProfileValue -is [int32] -or $FirewallProfileValue -is [uint32] -or $FirewallProfileValue -is [int64] -or $FirewallProfileValue -is [uint64]) { + # if value is a number, the value may also be greater and equals to the expectedvalue + if ($FirewallProfileValue -ge $expectedValue) { + $Result = @{ + Message = "Compliant" + Status = "True" + } + } + } + if ($FirewallProfileValue -eq $expectedValue) { + $Result = @{ + Message = "Compliant" + Status = "True" + } + } + if ($Key -eq "LogFilePath") { + if ($FirewallProfiles -eq $null -or $FirewallProfiles.Count -lt 3) { + ### if profiles are empty, skip comparison and continue with other checks + } else { + if (($FirewallProfiles[0].LogFileName -eq $FirewallProfiles[1].LogFileName) -or + ($FirewallProfiles[0].LogFileName -eq $FirewallProfiles[2].LogFileName) -or + ($FirewallProfiles[1].LogFileName -eq $FirewallProfiles[2].LogFileName)) { + $Result = @{ + Message = "For better organization and identification of specific issues within each profile consider using separate logfiles for each profile." + Status = "Warning" + } + } + } + } + return $Result + } +} + diff --git a/ATAPAuditor/Helpers/HashHelper.ps1 b/ATAPAuditor/Helpers/HashHelper.ps1 new file mode 100644 index 0000000..fec6ba2 --- /dev/null +++ b/ATAPAuditor/Helpers/HashHelper.ps1 @@ -0,0 +1,58 @@ +#Hash functions will be used for hashing results of report +#Based on SHA-256 and SHA-512 + +function Get-SHA256Hash { + Param ( + [Parameter(Mandatory=$true)] + [string] + $ClearString + ) + + $hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') + $hash = $hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($ClearString)) + + $hashString = [System.BitConverter]::ToString($hash) + $hashString.Replace('-', '') +} + +function GenerateHashTable{ + Param ( + [Parameter(Mandatory=$true)] + [Report] + $report + ) + + #hashes for each recommendation + $hashtable_sha256 = @{} + foreach($recommendation in $report.Sections){ + $hash_sha256 = "" + foreach($section in $recommendation.SubSections){ + foreach($test in $section.AuditInfos){ + #hash each test status + $statusHash_sha256 = (Get-SHA256Hash $test.Status) + $hash_sha256 += $statusHash_sha256 + #hash combination of tests + $hash_sha256 = (Get-SHA256Hash $hash_sha256) + } + } + #add final hash to hashlist + $hashtable_sha256.add($recommendation.Title, $hash_sha256) + } + + #checksum hash for overal check + $overallHash_sha256 = "" + foreach($hash in $hashtable_sha256.values){ + #add recommendation hash to overall hash + $overallHash_sha256 += $hash + #hash this value again + try{ + $overallHash_sha256 = Get-SHA256Hash $overallHash_sha256 -ErrorAction Stop + } + catch{ + Write-Warning "Hash code for report section couldn't be created." + } + } + + $hashtable_sha256.add($report.Title, $overallHash_sha256) + return $hashtable_sha256 +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/LinuxHelper.ps1 b/ATAPAuditor/Helpers/LinuxHelper.ps1 new file mode 100644 index 0000000..348ce23 --- /dev/null +++ b/ATAPAuditor/Helpers/LinuxHelper.ps1 @@ -0,0 +1,106 @@ +$script:LinuxDistroId = $null + + +$rcTrue = "True" +$rcCompliant = "Compliant" +$rcFalse = "False" +$rcNone = "None" +$rcNonCompliant = "Non-Compliant" +$rcNonCompliantManualReviewRequired = "Manual review required" +$rcCompliantIPv6isDisabled = "IPv6 is disabled" + +if (Test-Path "/etc/os-release") { + $osRelease = @{} + Get-Content "/etc/os-release" | ForEach-Object { + if ($_ -match "^(?\w+)=(?.+)$") { + $osRelease[$matches.key] = $matches.val.Trim('"') + } + } + + $script:LinuxDistroId = $osRelease["ID"] + + if (-not $script:LinuxDistroId) { + throw "Could not detect Linux distribution from /etc/os-release" + } + + switch ($script:LinuxDistroId) { + "ubuntu" {} + "debian" {} + "rhel" {} + "centos" {} + "fedora" {} + "opensuse" {} + default { + throw "Unsupported Linux distribution: $script:LinuxDistroId" + } + } + Write-Verbose "Detected $script:LinuxDistroId" +} else { + throw "/etc/os-release not found. Cannot detect Linux distribution." +} + +function Test-PackageInstalled { + param ( + [Parameter(Mandatory = $true)] + [string]$PackageName + ) + + switch ($script:LinuxDistroId) { + "ubuntu" + { + dpkg-query -W -f='${db:Status-Abbrev}' $PackageName 2>/dev/null | Out-Null + return ($LASTEXITCODE -eq 0) + } + + "debian" + { + dpkg-query -W -f='${db:Status-Abbrev}' $PackageName 2>/dev/null | Out-Null + return ($LASTEXITCODE -eq 0) + } + + "rhel" + { + rpm -q $PackageName >/dev/null 2>&1 + return ($LASTEXITCODE -eq 0) + } + + "centos" + { + rpm -q $PackageName >/dev/null 2>&1 + return ($LASTEXITCODE -eq 0) + } + + "fedora" + { + rpm -q $PackageName >/dev/null 2>&1 + return ($LASTEXITCODE -eq 0) + } + + "opensuse" + { + rpm -q $PackageName >/dev/null 2>&1 + return ($LASTEXITCODE -eq 0) + } + + default + { throw "Unexpected distro in module runtime: $script:LinuxDistroId" } + } +} + +function Test-ServiceActiveOrEnabled { + param ( + [Parameter(Mandatory = $true)] + [string]$ServiceName + ) + + # Check if the service is active + systemctl is-active --quiet $ServiceName + $isActive = ($LASTEXITCODE -eq 0) + + # Check if the service is enabled + systemctl is-enabled --quiet $ServiceName + $isEnabled = ($LASTEXITCODE -eq 0) + + return ($isActive -or $isEnabled) +} + diff --git a/ATAPAuditor/Helpers/LogFile.ps1 b/ATAPAuditor/Helpers/LogFile.ps1 new file mode 100644 index 0000000..3f6af1b --- /dev/null +++ b/ATAPAuditor/Helpers/LogFile.ps1 @@ -0,0 +1,94 @@ +function Set-LogFile { + [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] + Param( + [Parameter(Mandatory = $true)] + [Alias('LogPath')] + [string]$Path, + [Parameter(Mandatory = $true)] + [Alias('Logname')] + [string]$Name + ) + + $FullPath = Get-FullPath $Path $Name + + # Create file if it does not already exists + if (!(Test-Path -Path $FullPath)) { + + # Create file and start logging + New-Item -Path $FullPath -ItemType File -Force | Out-Null + + Add-Content -Path $FullPath -Value "***************************************************************************************************" + Add-Content -Path $FullPath -Value " Logfile created at [$([DateTime]::Now)]" + Add-Content -Path $FullPath -Value "***************************************************************************************************" + Add-Content -Path $FullPath -Value "" + Add-Content -Path $FullPath -Value "" + } +} + +function Write-LogFile { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true)] + [Alias('LogMessage')] + [string]$Message, + + [Parameter(Mandatory = $true)] + [Alias('LogPath')] + [string]$Path, + + [Parameter(Mandatory = $true)] + [Alias('Logname')] + [string]$Name, + + [ValidateSet("Error", "Warning", "Info")] + [string]$Level = "Info" + ) + + + Set-LogFile $Path $Name + $FullPath = Get-FullPath $Path $Name + + # Format date for log file + $FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" + + switch ($Level) { + 'Error' { + # Write-Error $Message + $LevelText = '[ERROR]:' + } + 'Warning' { + # Write-Warning $Message + $LevelText = '[WARNING]:' + } + 'Info' { + # Write-Verbose $Message + $LevelText = '[INFO]:' + } + } + Add-Content $FullPath "$FormattedDate $LevelText" + Add-Content $FullPath "$Message" + Add-Content $FullPath "--------------------------" + Add-Content $FullPath "" +} + +function Get-FullPath { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true)] + [string]$Path, + [Parameter(Mandatory = $true)] + [string]$File + ) + + $FullPath = "" + if ($Path.Length -gt 0) { + if ($Path[$Path.Length - 1] -ne "\") { + $FullPath = $Path + "\" + $File + } + else { + $FullPath = $Path + $File + } + } + + return $FullPath +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/Menu.ps1 b/ATAPAuditor/Helpers/Menu.ps1 new file mode 100644 index 0000000..2558759 --- /dev/null +++ b/ATAPAuditor/Helpers/Menu.ps1 @@ -0,0 +1,142 @@ +# Get the report names from the files in the Module folder +function Get-Reports { + # Get the path to the module + $atapFile = (Get-Module -ListAvailable ATAPAuditor).Path + if ($atapFile.Count -gt 1) { + $atapFile = $atapFile[0] # use the first result if there are several + } elseif ($atapFile.Count -eq 0) { + Write-Host "The ATAP module could not be found." + pressAnyKeyToQuit + Exit + } + + # find all *.ps1 report files + $atapDir = Split-Path -parent $atapFile + $reportsDir = Join-Path -Path $atapDir -ChildPath "Reports" + $reportFiles = Get-ChildItem -Path "$reportsDir\*.ps1" -Recurse + + # Build a dictionary from the file names without the extension + $i = 1 + $reports = [ordered]@{} + foreach ($reportName in $reportFiles) { + $reports.add([string]$i, $reportName.BaseName) + $i++ + } + return $reports +} + +# present a menu based on the dict given as argument +function Show-Menu { + param ( + [System.Collections.Specialized.OrderedDictionary]$reports + ) + Clear-Host + Write-Host "============== AuditTAP Reports ==============`n" + $padCount = ([string]$reports.Count).Length + foreach ($item in $reports.GetEnumerator()) { + Write-Host (' {0}: {1}' -f $item.Key.PadLeft($padCount, ' '), $item.Value) + } + Write-Host "" +} + + +function askSelection { + param ( + [System.Collections.Specialized.OrderedDictionary]$reports + ) + $retry = $false + :loop while ($true) { + # show menu and ask the user for a selection (or multiple) + Show-Menu $reports + if ($retry) { + [string]$selection = Read-Host "Invalid selection. Please try again`nYou can select multiple reports by comma separating the numbers" + } else { + [string]$selection = Read-Host "Please choose a report to run`nYou can select multiple reports by comma separating the numbers" + } + + # sanitize input data + $selection = $selection -replace '\s','' + $selection = $selection.Trim(',') + $selectionArray = $selection.Split(",") + $selectionArray = $selectionArray | Select-Object -Unique + + # Check if requested reports are valid / actually present + $reportsValid = @() + foreach ($i in $selectionArray) { + if (!$reports.Contains($i)) { + Write-Host "Report $i does not exist" + $retry = $true + Continue loop + } else { + $reportsValid += $reports[$i] + } + } + + # return the list of valid reports as an array of strings + return $reportsValid + } +} + +function runReports { + param ( + [string[]]$report + ) + Clear-Host + Import-Module -Name ATAPAuditor -Force + foreach ($i in $report) { + Write-Host "Running report: $i" + Save-ATAPHtmlReport -ReportName $i -Force + Write-Host "" + } +} + +function isAdmin { + $unixOS = [System.Environment]::OSVersion.Platform -eq 'Unix' + if ($unixOS) { + return ($(id -u) -eq 0) + } else { + return ([Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains 'S-1-5-32-544') + } +} + +function pressAnyKeyToQuit { + if ($psISE) { + Return + } + Write-Host "Press any key to quit" + $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown') +} + +if (!(isAdmin)) { + Write-Host "Please run as administrator`n" + pressAnyKeyToQuit +} else { + $reports = Get-Reports + Show-Menu $reports + $sel = askSelection $reports + runReports $sel + + if ([System.Environment]::OSVersion.Platform -eq 'Unix') { + if (($env:XDG_SESSION_TYPE -eq 'tty') -or ($null -eq $env:SUDO_USER)) { + # 1. reason to return: no graphical environment to open the file explorer + # 2. reason to return: we do not want to open the file explorer as root + Return + } + } + + [string]$action = Read-Host "Do you want to open the output directory? (Y/N)" + if ($action -eq 'y' -or $action -eq 'Y') { + if ($null -eq $env:ATAPReportPath) { + $outPath = [Environment]::GetFolderPath('MyDocuments') | Join-Path -ChildPath 'ATAPReports' + } else { + $outPath = $env:ATAPReportPath + } + if (Test-Path -Path $outPath) { + if ([System.Environment]::OSVersion.Platform -eq 'Unix') { + su $env:SUDO_USER -c "xdg-open $outPath" + } else { + explorer.exe $outPath + } + } + } +} diff --git a/ATAPAuditor/Helpers/ReportUnixOS.ps1 b/ATAPAuditor/Helpers/ReportUnixOS.ps1 new file mode 100644 index 0000000..f543045 --- /dev/null +++ b/ATAPAuditor/Helpers/ReportUnixOS.ps1 @@ -0,0 +1,20 @@ +[SystemInformation]@{ + SoftwareInformation = [SoftwareInformation]@{ + Hostname = hostname + OperatingSystem = (Get-Content /etc/os-release | Select-String -Pattern '^PRETTY_NAME=\"(.*)\"$').Matches.Groups[1].Value + BuildNumber = 'Version {0} (Build {1}.{2})' -f $v.DisplayVersion, $v.CurrentBuildNumber, $v.UBR + InstallationLanguage = (($(locale) | Where-Object { $_ -match "LANG=" }) -split '=')[1] + SystemUptime = uptime -p + OSArchitecture = lscpu | awk '/Architecture/ {print $2}' + KernelVersion = uname -r + } + HardwareInformation = [HardwareInformation]@{ + BIOSVersion = dmidecode -s bios-version + SystemSKU = (dmidecode -t system)[12] | cut -d ':' -f 2 | xargs + SystemSerialnumber = (dmidecode -t system)[9] | cut -d ':' -f 2 | xargs + SystemManufacturer = (dmidecode -t system)[6] | cut -d ':' -f 2 | xargs + SystemModel = dmidecode -s system-product-name + FreeDiskSpace = "{0:N1} GB" -f ((Get-PSDrive | Where-Object { $_.Name -eq '/' }).Free / 1GB) + FreePhysicalMemory = "{0:N1} GB" -f (( -split (Get-Content /proc/meminfo | Where-Object { $_ -match 'MemFree:' }))[1] / 1MB) + } +} diff --git a/ATAPAuditor/Helpers/ReportWindowsOS.ps1 b/ATAPAuditor/Helpers/ReportWindowsOS.ps1 new file mode 100644 index 0000000..515f7fd --- /dev/null +++ b/ATAPAuditor/Helpers/ReportWindowsOS.ps1 @@ -0,0 +1,41 @@ +$infos = Get-CimInstance Win32_OperatingSystem +$disk = Get-CimInstance Win32_LogicalDisk | Where-Object -Property DeviceID -eq "C:" +$role = Switch ((Get-CimInstance -Class Win32_ComputerSystem).DomainRole) { + "0" { "Standalone Workstation" } + "1" { "Member Workstation" } + "2" { "Standalone Server" } + "3" { "Member Server" } + "4" { "Backup Domain Controller" } + "5" { "Primary Domain Controller" } +} +$freeMemory = ($infos.FreePhysicalMemory / 1024) / 1024; +$totalMemory = ($infos.TotalVirtualMemorySize / 1024) / 1024; +$uptime = (get-date) - (gcim Win32_OperatingSystem).LastBootUpTime +$v = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + + +[SystemInformation]@{ + SoftwareInformation = [SoftwareInformation]@{ + Hostname = hostname + DomainRole = $role + OperatingSystem = $infos.Caption + LicenseStatus = $lcStatus + BuildNumber = 'Version {0} (Build {1}.{2})' -f $v.DisplayVersion, $v.CurrentBuildNumber, $v.UBR + InstallationLanguage = ((Get-UICulture).DisplayName) + SystemUptime = '{0:d1}:{1:d2}:{2:d2}:{3:d2}' -f $uptime.Days, $uptime.Hours, $uptime.Minutes, $uptime.Seconds + OSArchitecture = (Get-WmiObject win32_operatingsystem | select osarchitecture).osarchitecture + } + HardwareInformation = [HardwareInformation]@{ + BIOSVersion = (Get-WmiObject -Class Win32_BIOS).Version + SystemSKU = (Get-WmiObject -Namespace root\wmi -Class MS_SystemInformation).SystemSKU + SystemSerialnumber = (Get-WmiObject win32_bios).Serialnumber + SystemManufacturer = (Get-WMIObject -class Win32_ComputerSystem).Manufacturer + SystemModel = (Get-WMIObject -class Win32_ComputerSystem).Model + FreeDiskSpace = "{0:N3}" -f "$([math]::Round(($disk.FreeSpace / $disk.Size)*100,1))% " + "{0:N3}" -f "($([math]::Round($disk.FreeSpace / 1GB,1)) GB / $([math]::Round($disk.Size / 1GB,1)) GB)" + FreePhysicalMemory = "{0:N3}" -f "$([math]::Round(($freeMemory/$totalMemory)*100,1))% ($([math]::Round($freeMemory,1)) GB / $([math]::Round($totalMemory,1)) GB)" + } +} + + + + diff --git a/ATAPAuditor/Helpers/SecurityPolicy.psm1 b/ATAPAuditor/Helpers/SecurityPolicy.psm1 new file mode 100644 index 0000000..5a3b787 --- /dev/null +++ b/ATAPAuditor/Helpers/SecurityPolicy.psm1 @@ -0,0 +1,36 @@ +function ConvertTo-NTAccountUser { + [CmdletBinding()] + [OutputType([hashtable])] + Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string] $Name + ) + + process { + try { + # Identity doesn't exist on when Hyper-V isn't installed + if ($Name -eq "NT VIRTUAL MACHINE\Virtual Machines" -and + (Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V").State -ne "Enabled") { + return $null + } + + Write-Verbose "[ConvertTo-NTAccountUser] Converting identity '$Name' to NTAccount" + if ($Name -match "^(S-[0-9-]{3,})") { + $sidAccount = [System.Security.Principal.SecurityIdentifier]$Name + } + else { + $sidAccount = ([System.Security.Principal.NTAccount]$Name).Translate([System.Security.Principal.SecurityIdentifier]) + } + return @{ + Account = $sidAccount.Translate([System.Security.Principal.NTAccount]) + Sid = $sidAccount.Value + } + } + catch{ + return @{ + Account = "Orphaned Account" + Sid = $Name + } + } + } +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh new file mode 100644 index 0000000..1ee773e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.1.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="cramfs" # set module name + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: + \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh new file mode 100644 index 0000000..d3b73f2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.2.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="squashfs" # set module name + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh new file mode 100644 index 0000000..18d958f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.1.3.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="udf" # set module name + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh new file mode 100644 index 0000000..aa407a1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.1.10.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="usb-storage" # set module name + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: +\"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: +\"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: +\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit +failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh new file mode 100644 index 0000000..b6121b8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.5.1.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="kernel.randomize_va_space" + kpvalue="2" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc )" + fafile="$( grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " + [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh new file mode 100644 index 0000000..a031d2c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.2.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - +Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + echo -e "$l_pkgoutput" + # Look for existing settings and set variables if they exist + l_gdmfile="$( + grep -Prils '^\h*banner-message-enable\b' + /etc/dconf/db/*.d + )" + if [ -n "$l_gdmfile" ]; then + # Set profile name based on dconf db directory ({PROFILE_NAME}.d) + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")" + # Check if banner message is enabled + if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then + l_output="$l_output\n - The \"banner-message-enable\" option is +enabled in \"$l_gdmfile\"" + else + l_output2="$l_output2\n - The \"banner-message-enable\" option is +not enabled" + fi + l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")" + if [ -n "$l_lsbt" ]; then + l_output="$l_output\n - The \"banner-message-text\" option is set +in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\"" + else + l_output2="$l_output2\n - The \"banner-message-text\" option is +not set" + fi + if + grep -Pq "^\h*system-db:$l_gdmprofile" + /etc/dconf/profile/"$l_gdmprofile" + then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't +exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in +the dconf database" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't +exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"banner-message-enable\" option isn't +configured" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - +Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit +failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh new file mode 100644 index 0000000..c4e7589 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.3.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + output="" output2="" + l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db )" + if [ -n "$l_gdmfile" ]; then + output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\"" + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")" + if + grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile" + then + output="$output\n - The \"$l_gdmprofile\" exists" + else + output2="$output2\n - The \"$l_gdmprofile\" doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database" + else + output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database" + fi + else + output2="$output2\n - The \"disable-user-list\" option is not enabled" + fi + if [ -z "$output2" ]; then + echo -e "$l_pkgoutput\n- Audit result:\n *** PASS: ***\n$output\n" + else + echo -e "$l_pkgoutput\n- Audit Result:\n *** FAIL: ***\n$output2\n" + [ -n "$output" ] && echo -e "$output\n" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *** PASS ***\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh new file mode 100644 index 0000000..8d711a9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.4.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +{ + # Check if GNMOE Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_idmv="900" # Set for max value for idle-delay in seconds + l_ldmv="5" # Set for max value for lock-delay in seconds + # Look for idle-delay to determine profile in use, needed for remaining tests + l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ )" # Determine file containing idle-delay key + if [ -n "$l_kfile" ]; then + # set profile name (This is the name of a dconf database) + l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")" #Set the key profile name + l_pdbdir="/etc/dconf/db/$l_profile.d" # Set the key file dconf db directory + # Confirm that idle-delay exists, includes unit32, and value is between 1 and max value for idle-delay + l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)" + if [ -n "$l_idv" ]; then + [ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" + [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" + [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\"" + fi + # Confirm that lock-delay exists, includes unit32, and value is between 0 and max value for lock-delay + l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" |xargs)" + if [ -n "$l_ldv" ]; then + [ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds in \"$l_kfile\"" + [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\"" + fi + # Confirm that dconf profile exists + if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then + l_output="$l_output\n - The \"$l_profile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_profile\" doesn't exist" + fi + # Confirm that dconf profile database file exists + if [ -f "/etc/dconf/db/$l_profile" ]; then + l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database" + else + l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh new file mode 100644 index 0000000..3581400 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.5.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +{ + # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + # Look for idle-delay to determine profile in use, needed for remaining tests + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked + if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked + if + grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' + "$l_kfd" + then + l_output="$l_output\n - \"idle-delay\" is locked in \"$( + grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd" + )\"" + else + l_output2="$l_output2\n - \"idle-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked" + fi + if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked + if + grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' + "$l_kfd2" + then + l_output="$l_output\n - \"lock-delay\" is locked in \"$( + grep - + Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2" + )\"" + else + l_output2="$l_output2\n - \"lock-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be +locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed +on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit +failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh new file mode 100644 index 0000000..7632b13 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.6.sh @@ -0,0 +1,75 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + # Look for existing settings and set variables if they exist + l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)" + l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)" + # Set profile name based on dconf db directory ({PROFILE_NAME}.d) + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")" + elif [ -f "$l_kfile2" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile2")" + fi + # If the profile name exist, continue checks + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + # Check if profile file exists + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + # Check if the dconf database file exists + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist" + fi + # check if the dconf database directory exists + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist" + fi + # check automount setting + if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then + l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\"" + else + l_output2="$l_output2\n - \"automount\" is not set correctly" + fi + # check automount-open setting + if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then + l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\"" + else + l_output2="$l_output2\n - \"automount-open\" is not set correctly" + fi + else + # Setings don't exist. Nothing further to check + l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh new file mode 100644 index 0000000..b0ec907 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.7.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +{ + # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space seporated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + # Look for idle-delay to determine profile in use, needed for remaining tests + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}' ).d" #set directory of key file to be locked + if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked + if + grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' + "$l_kfd" + then + l_output="$l_output\n - \"automount\" is locked in \"$( + grep -Pil + '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd" + )\"" + else + l_output2="$l_output2\n - \"automount\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount\" is not set so it can not be +locked" + fi + if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, options can't be locked + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount- +open\b' "$l_kfd2"; then + l_output="$l_output\n - \"lautomount-open\" is locked in \"$( + grep + -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2" + )\"" + else + l_output2="$l_output2\n - \"automount-open\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount-open\" is not set so it can +not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed +on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit +failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh new file mode 100644 index 0000000..4fdd471 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.8.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space separated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - +Package: \"$l_pn\" exists on the system\n - checking configuration" + echo -e "$l_pkgoutput" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + # Look for existing settings and set variables if they exist + l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)" + # Set profile name based on dconf db directory ({PROFILE_NAME}.d) + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_kfile")" + fi + # If the profile name exist, continue checks + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + # Check if profile file exists + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$( + grep -Pl + -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/* + )\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + # Check if the dconf database file exists + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" +doesn't exist" + fi + # check if the dconf database directory exists + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" +doesn't exist" + fi + # check autorun-never setting + if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then + l_output="$l_output\n - \"autorun-never\" is set to true in: +\"$l_kfile\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not set correctly" + fi + else + # Settings don't exist. Nothing further to check + l_output2="$l_output2\n - \"autorun-never\" is not set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed +on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit +failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh new file mode 100644 index 0000000..030120a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-1.8.9.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +{ + # Check if GNOME Desktop Manager is installed. If package isn't installed, recommendation is Not Applicable\n + # determine system's package manager + l_pkgoutput="" + if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" + fi + # Check if GDM is installed + l_pcl="gdm gdm3" # Space separated list of packages to check + for l_pn in $l_pcl; do + $l_pq "$l_pn" >/dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -Package: \"$l_pn\" exists on the system\n - checking configuration" + done + # Check configuration (If applicable) + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + # Look for idle-delay to determine profile in use, needed for remaining tests + l_kfd="/etc/dconf/db/$( grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file to be locked + if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options can't be locked + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then + l_output="$l_output\n - \"autorun-never\" is locked in \"$( + grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd" + )\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not locked" + fi + else + l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + # Report results. If no failures output in l_output2, we pass + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh new file mode 100644 index 0000000..02ca1a6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-2.1.1.1.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +{ + output="" l_tsd="" l_sdtd="" chrony="" l_ntp="" + dpkg-query -W chrony >/dev/null 2>&1 && l_chrony="y" + dpkg-query -W ntp >/dev/null 2>&1 && l_ntp="y" || l_ntp="" + systemctl list-units --all --type=service | grep -q 'systemd- +timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && l_sdtd="y" + # ! systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && + l_nsdtd="y" || l_nsdtd="" + if [[ "$l_chrony" = "y" && "$l_ntp" != "y" && "$l_sdtd" != "y" ]]; then + l_tsd="chrony" + output="$output\n- chrony is in use on the system" + elif [[ "$l_chrony" != "y" && "$l_ntp" = "y" && "$l_sdtd" != "y" ]]; then + l_tsd="ntp" + output="$output\n- ntp is in use on the system" + elif [[ "$l_chrony" != "y" && "$l_ntp" != "y" ]]; then + if + systemctl list-units --all --type=service | grep -q 'systemd- +timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -Eq '(enabled|disabled|masked)' + then + l_tsd="sdtd" + output="$output\n- systemd-timesyncd is in use on the system" + fi + else + [[ "$l_chrony" = "y" && "$l_ntp" = "y" ]] && output="$output\n- both +chrony and ntp are in use on the system" + [[ "$l_chrony" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both +chrony and systemd-timesyncd are in use on the system" + [[ "$l_ntp" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both ntp +and systemd-timesyncd are in use on the system" + fi + if [ -n "$l_tsd" ]; then + echo -e "\n- PASS:\n$output\n" + else + echo -e "\n- FAIL:\n$output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh new file mode 100644 index 0000000..69033ff --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.1.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + output="" + grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; ) + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && output="IPv6 Disabled in \"$grubfile\"" + fi + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + [ -n "$output" ] && output="$output, and in sysctl config" || output="ipv6 disabled in sysctl config" + fi + [ -n "$output" ] && echo -e "\n$output\n" || echo -e "\nIPv6 is enabled on the system\n" +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh new file mode 100644 index 0000000..725bc7a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.2.sh @@ -0,0 +1,29 @@ +#!/bin/bash +if command -v nmcli >/dev/null 2>&1; then + if nmcli radio all | grep -Eq '\s*\S+\s+disabled\s+\S+\s+disabled\b'; then + echo "Wireless is not enabled" + else + nmcli radio all + fi +elif [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then + t=0 + mname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | + xargs -0 dirname); do basename "$( + readlink -f + "$driverdir"/device/driver/module + )"; done | sort -u) + for dm in $mname; do + if + grep -Eq "^\s*install\s+$dm\s+/bin/(true|false)" + /etc/modprobe.d/*.conf + then + /bin/true + else + echo "$dm is not disabled" + t=1 + fi + done + [ "$t" -eq 0 ] && echo "Wireless is not enabled" +else + echo "Wireless is not enabled" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh new file mode 100644 index 0000000..ce129a5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.3.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="dccp" # set module name + # Check if the module exists on the system + if + [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ] + then + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( + grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<<"$l_mname" )\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh new file mode 100644 index 0000000..824c81c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.4.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="sctp" # set module name + # Check if the module exists on the system + if + [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ] + then + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh new file mode 100644 index 0000000..715a2a2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.5.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="rds" # set module name + # Check if the module exists on the system + if + [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory" )" ] + then + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( + grep -P -- + "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" + )" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh new file mode 100644 index 0000000..69aa653 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.1.6.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="tipc" # set module name + # Check if the module exists on the system + if + [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ] + then + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" )" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + # Report results. If no failures output in l_output2, we pass + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh new file mode 100644 index 0000000..2e5b79b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.1.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/{print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh new file mode 100644 index 0000000..9014aa3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.2.2.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + ipv6_chk() { + l_ipv6s="" + grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; ) + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled" + fi + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + l_ipv6s="disabled" + fi + if [ -n "$l_ipv6s" ]; then + l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable" + else + KPC + fi + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + if grep -q '^net.ipv6.' <<<"$l_kpe"; then + ipv6_chk + else + KPC + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh new file mode 100644 index 0000000..bd038a7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.1.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + ipv6_chk() { + l_ipv6s="" + grubfile=$( + find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; + ) + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled" + fi + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + l_ipv6s="disabled" + fi + if [ -n "$l_ipv6s" ]; then + l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable" + else + KPC + fi + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + if grep -q '^net.ipv6.' <<<"$l_kpe"; then + ipv6_chk + else + KPC + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh new file mode 100644 index 0000000..24a149c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.2.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + ipv6_chk() { + l_ipv6s="" + grubfile=$( + find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; + ) + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled" + fi + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + l_ipv6s="disabled" + fi + if [ -n "$l_ipv6s" ]; then + l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable" + else + KPC + fi + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + if grep -q '^net.ipv6.' <<<"$l_kpe"; then + ipv6_chk + else + KPC + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh new file mode 100644 index 0000000..6e77404 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.3.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.default.secure_redirects=0 net.ipv4.conf.all.secure_redirects=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$( + grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' + )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh new file mode 100644 index 0000000..48faa27 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.4.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$( + grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc + )" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh new file mode 100644 index 0000000..8f1d931 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.5.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.icmp_echo_ignore_broadcasts=1" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$( grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$( + grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh new file mode 100644 index 0000000..cc54061 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.6.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.icmp_ignore_bogus_error_responses=1" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$( + grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh new file mode 100644 index 0000000..75a6536 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.7.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc )" + l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh new file mode 100644 index 0000000..5d5bb06 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.8.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv4.tcp_syncookies=1" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)" + l_fafile="$( grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + KPC + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh new file mode 100644 index 0000000..c7890d6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.3.9.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_parlist="net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0" + l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + KPC() { + l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + l_pafile="$(grep -Psl -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc)" + l_fafile="$( + grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}' + )" + if [ "$l_krp" = "$l_kpvalue" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in the running configuration" + else + l_output2="$l_output2\n - \"$l_kpname\" is set to \"$l_krp\" in the running configuration" + fi + if [ -n "$l_pafile" ]; then + l_output="$l_output\n - \"$l_kpname\" is set to \"$l_kpvalue\" in \"$l_pafile\"" + else + l_output2="$l_output2\n - \"$l_kpname = $l_kpvalue\" is not set in a kernel parameter configuration file" + fi + [ -n "$l_fafile" ] && l_output2="$l_output2\n - \"$l_kpname\" is set incorrectly in \"$l_fafile\"" + } + ipv6_chk() { + l_ipv6s="" + grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \; ) + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && l_ipv6s="disabled" + fi + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + l_ipv6s="disabled" + fi + if [ -n "$l_ipv6s" ]; then + l_output="$l_output\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable" + else + KPC + fi + } + for l_kpe in $l_parlist; do + l_kpname="$(awk -F= '{print $1}' <<<"$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<<"$l_kpe")" + if grep -q '^net.ipv6.' <<<"$l_kpe"; then + ipv6_chk + else + KPC + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.5.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.5.1.6.sh new file mode 100644 index 0000000..5dbe49c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-3.5.1.6.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +ufw_out="$(ufw status verbose)" +ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}' | sort | uniq | while read -r lpn; do + ! grep -Pq "^\h*$lpn\b" <<<"$ufw_out" && echo "- Port: \"$lpn\" is missing a firewall rule" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh new file mode 100644 index 0000000..7edd572 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-A.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +for PARTITION in $(findmnt -n -l -k -it $( + awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd, ) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n" + done +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh new file mode 100644 index 0000000..39e4b16 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.3.6-B.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +{ + RUNNING=$(auditctl -l) + [ -n "${RUNNING}" ] && for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv"noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + printf -- "${RUNNING}" | grep -q "${PRIVILEGED}" && printf "OK:'${PRIVILEGED}' found in auditing rules.\n" || printf "Warning:'${PRIVILEGED}' not found in running configuration.\n" + done + done || + printf "ERROR: Variable 'RUNNING' is unset.\n" +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.5.sh new file mode 100644 index 0000000..830c99e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.1.5.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +[ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "="'/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} + \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh new file mode 100644 index 0000000..33f3d7e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-4.2.3.sh @@ -0,0 +1,68 @@ +#!/usr/bin/env bash + +{ + echo -e "\n- Start check - logfiles have appropriate permissions and ownership" + output="" + find /var/log -type f | ( + while read -r fname; do + bname="$(basename "$fname")" + case "$bname" in lastlog | lastlog.* | wtmp | wtmp.* | btmp | btmp.*) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + secure | auth.log) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + SSSD | sssd) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Piq -- '^\h*(SSSD|root)\h+(SSSD|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + gdm | gdm3) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6]0\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(gdm3?|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + *.journal) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(root)\h+(systemd-journal|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + *) + if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,4]0\h*$'; then + output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" + fi + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*(syslog|root)\h+(adm|root)\h*$'; then + output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" + fi + ;; + esac + done + # If all files passed, then we pass + if [ -z "$output" ]; then + echo -e "\n- PASS\n- All files in \"/var/log/\" have appropriate permissions and ownership\n" + else + # print the reason why we are failing + echo -e "\n- FAIL:\n$output" + fi + echo -e "- End check - logfiles have appropriate permissions and ownership\n" + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh new file mode 100644 index 0000000..a10698e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.2.2.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +{ + l_output="" + l_skgn="ssh_keys" # Group designated to own openSSH keys + l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" + awk '{print}' <<<"$(find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat -L -c "%n %#a %U %G %g" {} +)" | ( + while read -r l_file l_mode l_owner l_group l_gid; do + [ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root" + [ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177" + l_maxperm="$(printf '%o' $((0777 & ~$l_pmask)))" + [ $(($l_mode & $l_pmask)) -gt 0 ] && l_output="$l_output\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive" + [ "$l_owner" != "root" ] && l_output="$l_output\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\"" + if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then + l_output="$l_output\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\"" + fi + done + if [ -z "$l_output" ]; then + echo -e "\n- Audit Result:\n *** PASS ***\n" + else + echo -e "\n- Audit Result:\n *** FAIL ***$l_output\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh new file mode 100644 index 0000000..4f0f6e7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.4.5.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +{ + declare -A HASH_MAP=(["y"]="yescrypt" ["1"]="md5" ["2"]="blowfish" + ["5"]="SHA256" ["6"]="SHA512" ["g"]="gost-yescrypt") + CONFIGURED_HASH=$(sed -n "s/^\s*ENCRYPT_METHOD\s*\(.*\)\s*$/\1/p" /etc/login.defs ) + for MY_USER in $(sed -n "s/^\(.*\):\\$.*/\1/p" /etc/shadow); do + CURRENT_HASH=$(sed -n "s/${MY_USER}:\\$\(.\).*/\1/p" /etc/shadow) + if [[ "${HASH_MAP["${CURRENT_HASH}"]^^}" != "${CONFIGURED_HASH^^}" ]]; then + echo "The password for '${MY_USER}' is using '${HASH_MAP["${CURRENT_HASH}"]}' instead of the configured '${CONFIGURED_HASH}'." + fi + done +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.1.5.sh new file mode 100644 index 0000000..45b638f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.1.5.sh @@ -0,0 +1,9 @@ +#!/bin/bash +{ + awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do + change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s) + if [[ "$change" -gt "$(date +%s)" ]]; then + echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"" + fi + done +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.2.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.2.sh new file mode 100644 index 0000000..2e36e2a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.2.sh @@ -0,0 +1,4 @@ +#!/bin/bash +awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd + +awk -F: '($1!~/(root|^\+)/ && $3<'"$( awk '/^\s*UID_MIN/{print $2}' /etc/login.defs )"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}' diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.4.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.4.sh new file mode 100644 index 0000000..baf7ed7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.4.sh @@ -0,0 +1,7 @@ +#!/bin/bash +{ + passing="" + grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && passing=true + grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bash.bashrc* && passing=true + [ "$passing" = true ] && echo "Default user umask is set" +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh new file mode 100644 index 0000000..82f1c81 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-5.5.5.sh @@ -0,0 +1,13 @@ +#!/bin/bash +output1="" output2="" +[ -f /etc/bash.bashrc ] && BRC="/etc/bash.bashrc" +for f in "$BRC" /etc/profile /etc/profile.d/*.sh; do + grep -Pq '^\s*([^#]+\s+)?TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?readonly\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && grep -Pq '^\s*([^#]+;\s*)?export\s+TMOUT(\s+|\s*;|\s*$|=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9]))\b' "$f" && output1="$f" +done +grep -Pq '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b'/etc/profile /etc/profile.d/*.sh "$BRC" && output2=$(grep -Ps '^\s*([^#]+\s+)?TMOUT=(9[0-9][1-9]|9[1-9][0-9]|0+|[1-9]\d{3,})\b' /etc/profile /etc/profile.d/*.sh $BRC) +if [ -n "$output1" ] && [ -z "$output2" ]; then + echo -e "\nPASSED\n\nTMOUT is configured in: \"$output1\"\n" +else + [ -z "$output1" ] && echo -e "\nFAILED\n\nTMOUT is not configured\n" + [ -n "$output2" ] && echo -e "\nFAILED\n\nTMOUT is incorrectly configured in: \"$output2\"\n" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh new file mode 100644 index 0000000..2ab903b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.11.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +{ + output="" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( while read -r user home; do [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - All local interactive users have a home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh new file mode 100644 index 0000000..341f7f5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.12.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +{ + output="" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\"" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - All local interactive users have a home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh new file mode 100644 index 0000000..a1a97a8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.13.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +{ + output="" + perm_mask='0027' + maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( + while read -r user home; do + if [ -d "$home" ]; then + mode=$(stat -L -c '%#a' "$home") + [ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + fi + done + if [ -n "$output" ]; then + echo -e "\n- Failed:$output" + else + echo -e "\n- Passed:\n- All user home directories are mode:\"$maxperm\" or more restrictive" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh new file mode 100644 index 0000000..c68b429 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.14.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +{ + output="" output2="" + perm_mask='0177' + maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( + while read -r user home; do + if [ -f "$home/.netrc" ]; then + mode="$(stat -L -c '%#a' "$home/.netrc")" + if [ $(($mode & $perm_mask)) -gt 0 ]; then + output="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + else + output2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + fi + fi + done + if [ -z "$output" ]; then + if [ -z "$output2" ]; then + echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n" + else + echo -e "\n- WARNING:\n$output2\n" + fi + else + echo -e "\n- FAILED:\n$output\n" + [ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh new file mode 100644 index 0000000..45d513a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.15.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + output="" + fname=".forward" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( + while read -r user home; do + [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh new file mode 100644 index 0000000..445a1a9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.16.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + output="" + fname=".rhosts" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( + while read -r user home; do + [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh new file mode 100644 index 0000000..cc22adf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.17.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +{ + output="" + perm_mask='0022' + maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" + valid_shells="^($(sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | ( + while read -r user home; do + for dfile in $(find "$home" -type f -name '.*'); do + mode=$(stat -L -c '%#a' "$dfile") + [ $(($mode & $perm_mask)) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + done + done + if [ -n "$output" ]; then + echo -e "\n- Failed:$output" + else + echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive" + fi + ) +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh new file mode 100644 index 0000000..afad21f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.3.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +a_passwd_group_gid=("$(awk -F: '{print $4}' /etc/passwd | sort -u)") +a_group_gid=("$(awk -F: '{print $3}' /etc/group | sort -u)") +a_passwd_group_diff=("$(printf '%s\n' "${a_group_gid[@]}" "${a_passwd_group_gid[@]}" | sort | uniq -u)") +while IFS= read -r l_gid; do + awk -F: '($4 == '"$l_gid"') {print " - User: \"" $1 "\" has GID: \"" $4 "\" which does not exist in /etc/group" }' /etc/passwd + exit 1 +done < <(printf '%s\n' "${a_passwd_group_gid[@]}" "${a_passwd_group_diff[@]}" | sort | uniq -D | uniq) +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh new file mode 100644 index 0000000..7d12fdf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.5.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh new file mode 100644 index 0000000..09eb62c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.6.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cut -d: -f3 /etc/group | sort | uniq -d | while read x; do + echo "Duplicate GID ($x) in /etc/group" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh new file mode 100644 index 0000000..f5efc10 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.7.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do + echo "Duplicate login name $x in /etc/passwd" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh new file mode 100644 index 0000000..43eaaa4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.8.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do + echo "Duplicate group name $x in /etc/group" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh new file mode 100644 index 0000000..f5cc42e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Debian_11/CIS-Debian-6.2.9.sh @@ -0,0 +1,9 @@ +#!/bin/bash +awk -F: '($1!~/(root|halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do + if [ -d "$dir" ]; then + file="$dir/.forward" + if [ ! -h "$file" ] && [ -f "$file" ]; then + echo "User: \"$user\" file: \"$file\" exists" + fi + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh new file mode 100644 index 0000000..caed61a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1111.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="squashfs" + test1=$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory") + if [ -z "$test1" ]; then + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh new file mode 100644 index 0000000..ee59d6a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_1112.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="udf" + if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh new file mode 100644 index 0000000..809efb6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_119.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + l_mname="usb-storage" + if [ -z '$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")' ]; then + l_loadable='$(modprobe -n -v "$l_mname")' + [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh new file mode 100644 index 0000000..3621d88 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_182.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + echo -e "$l_pkgoutput" + l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)" + if [ -n "$l_gdmfile" ]; then + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")" + if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then + l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\"" + else + l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled" + fi + l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")" + if [ -n "$l_lsbt" ]; then + l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\"" + else + l_output2="$l_output2\n - The \"banner-message-text\" option is not set" + fi + if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh new file mode 100644 index 0000000..eb44b86 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_183.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + output="" output2="" + l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)" + if [ -n "$l_gdmfile" ]; then + output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\"" + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")" + if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then + output="$output\n - The \"$l_gdmprofile\" exists" + else + output2="$output2\n - The \"$l_gdmprofile\" doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database" + else + output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database" + fi + else + output2="$output2\n - The \"disable-user-list\" option is not enabled" + fi + if [ -z "$output2" ]; then + echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n" + else + echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n" + [ -n "$output" ] && echo -e "$output\n" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh new file mode 100644 index 0000000..874abc5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_184.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" l_idmv="900" + l_ldmv="5" + l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)" + if [ -n "$l_kfile" ]; then + l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + l_pdbdir="/etc/dconf/db/$l_profile.d" + l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)" + if [ -n "$l_idv" ]; then + [ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\"" + fi + l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)" + if [ -n "$l_ldv" ]; then + [ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\"" + fi + if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then + l_output="$l_output\n - The \"$l_profile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_profile\" doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_profile" ]; then + l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database" + else + l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh new file mode 100644 index 0000000..72282d3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_185.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then + l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"idle-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked" + fi + if [ -d "$l_kfd2" ]; then + if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then + l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\"" + else + l_output2="$l_output2\n - \"lock-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh new file mode 100644 index 0000000..3ed9317 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_186.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)" + l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)" + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + elif [ -f "$l_kfile2" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")" + fi + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist" + fi + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist" + fi + if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then + l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\"" + else + l_output2="$l_output2\n - \"automount\" is not set correctly" + fi + if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then + l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\"" + else + l_output2="$l_output2\n - \"automount-open\" is not set correctly" + fi + else + l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh new file mode 100644 index 0000000..f6e7c9e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_187.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then + l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"automount\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount\" is not set so it can not be locked" + fi + if [ -d "$l_kfd2" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then + l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\"" + else + l_output2="$l_output2\n - \"automount-open\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh new file mode 100644 index 0000000..f11261a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_188.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput" + done + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)" + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + fi + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist" + fi + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist" + fi + if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then + l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not set correctly" + fi + else + l_output2="$l_output2\n - \"autorun-never\" is not set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh new file mode 100644 index 0000000..4fbf6d3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_189.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif + command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then + l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not locked" + fi + else + l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh new file mode 100644 index 0000000..0d270d1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_312.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" + module_chk() { + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + } + if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then + l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do + basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u) + for l_mname in $l_dname; do + module_chk + done + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS" + if [ -z "$l_output" ]; then + echo -e "\n - System has no wireless NICs installed" + else + echo -e "\n$l_output\n" + fi + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh new file mode 100644 index 0000000..4f2772c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_313.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_mname="tipc" + if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh new file mode 100644 index 0000000..ed2523d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_321.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_kparameters="net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + kernel_par_chk() + { + krp="" pafile="" fafile="" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" [ "$krp" = "$kpvalue" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in the running configuration" + [ -n "$pafile" ] && l_output="$l_output\n - \"$kpname\" is set to \"$kpvalue\" in \"$pafile\"" + [ -z "$fafile" ] && l_output="$l_output\n - \"$kpname\" is not set incorectly in a kernel parameter configuration file" [ "$krp" != "$kpvalue" ] && l_output2="$l_output2\n - \"$kpname\" is incorrectly set to \"$krp\" in the running configuration" + [ -n "$fafile" ] && l_output2="$l_output2\n - \"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && l_output2="$l_output2\n - \"$kpname = $kpvalue\" is not set in a kernel parameter configuration file" + } + for l_kpar in $l_kparameters; do + kpname="$(awk -F"=" '{print $1}' <<< "$l_kpar" | xargs)" kpvalue="$(awk -F"=" '{print $2}' <<< "$l_kpar" | xargs)" + if grep -Pq '^\h*net\.ipv6\.' <<< "$l_kpname"; then + if grep -Pqs '^\h*0\b' /sys/module/ipv6/parameters/disable; then + kernel_par_chk + else + l_output="$l_output\n - IPv6 is not enabled, check for: \"$l_kpar\" is not applicable" + fi + else + kernel_par_chk + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh new file mode 100644 index 0000000..80d69a7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_1.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.all.send_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL " + [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh new file mode 100644 index 0000000..ab47dbf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_322_2.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" kpname="net.ipv4.conf.default.send_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh new file mode 100644 index 0000000..cdafddf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_11.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.all.accept_source_route" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh new file mode 100644 index 0000000..2d8b016 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_12.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh new file mode 100644 index 0000000..c05f02c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_21.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv6.conf.all.accept_source_route" + kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh new file mode 100644 index 0000000..2a7347a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_331_22.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.default.accept_source_route" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh new file mode 100644 index 0000000..f413be4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_11.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.all.accept_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh new file mode 100644 index 0000000..052c782 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_12.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh new file mode 100644 index 0000000..f99a9d7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_21.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh new file mode 100644 index 0000000..bb28ce6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_332_22.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv6.conf.default.accept_redirects" + kpvalue="0" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh new file mode 100644 index 0000000..d715c4d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_1.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.all.log_martians" kpvalue="1" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh new file mode 100644 index 0000000..6552c98 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_334_2.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.default.accept_redirects" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh new file mode 100644 index 0000000..9a81d92 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_335.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.icmp_echo_ignore_broadcasts" + kpvalue="1" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh new file mode 100644 index 0000000..e634fb7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_336.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.icmp_ignore_bogus_error_responses" kpvalue="1" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh new file mode 100644 index 0000000..5bdca20 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_1.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" kpname="net.ipv4.conf.all.rp_filter" kpvalue="1" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh new file mode 100644 index 0000000..dfd03aa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_337_2.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv4.conf.default.rp_filter" + kpvalue="1" searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh new file mode 100644 index 0000000..ca201df --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_338.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" kpname="net.ipv4.tcp_syncookies" kpvalue="1" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh new file mode 100644 index 0000000..c3b4451 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_1.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" kpname="net.ipv6.conf.all.accept_ra" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh new file mode 100644 index 0000000..2e00244 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_339_2.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + krp="" pafile="" fafile="" + kpname="net.ipv6.conf.default.accept_ra" kpvalue="0" + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + krp="$(sysctl "$kpname" | awk -F= '{print $2}' | xargs)" + pafile="$(grep -Psl -- "^\h*$kpname\h*=\h*$kpvalue\b\h*(#.*)?$" $searchloc)" + fafile="$(grep -s -- "^\s*$kpname" $searchloc | grep -Pv -- "\h*=\h*$kpvalue\b\h*" | awk -F: '{print $1}')" + if [ "$krp" = "$kpvalue" ] && [ -n "$pafile" ] && [ -z "$fafile" ]; then + echo -e "\nPASS:\n\"$kpname\" is set to \"$kpvalue\" in the running configuration and in \"$pafile\"" + else + echo -e "\nFAIL: " [ "$krp" != "$kpvalue" ] && echo -e "\"$kpname\" is set to \"$krp\" in the running configuration\n" + [ -n "$fafile" ] && echo -e "\n\"$kpname\" is set incorrectly in \"$fafile\"" + [ -z "$pafile" ] && echo -e "\n\"$kpname = $kpvalue\" is not set in a kernel parameter configuration file\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh new file mode 100644 index 0000000..b8f0893 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3412.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status="" + rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)" + rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)" + l_fwutil_status="$l_fwd_status:$l_nft_status" + case $l_fwutil_status in + enabled:active:masked:inactive|enabled:active:disabled:inactive) + l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;; + masked:inactive:enabled:active|disabled:inactive:enabled:active) + l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;; + enabled:active:enabled:active) + l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;; + enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;; + *:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;; + :enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;; + :) l_output2="\n - Neither FirewallD or NFTables is installed." ;; + *:*:) l_output2="\n - NFTables package is not installed on the system" ;; + *) l_output2="\n - Unable to determine firewall state" ;; + esac + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Results:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Results:\n FAIL\n$l_output2\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh new file mode 100644 index 0000000..852d59c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_3421.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_zone="" + if systemctl is-enabled firewalld.service | grep -q 'enabled'; then + l_zone="$(firewall-cmd --get-default-zone)" + if [ -n "$l_zone" ]; then + l_output=" - The default zone is set to: \"$l_zone\"" + else + l_output2=" - The default zone is not set" + fi + else + l_output=" - FirewallD is not in use on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Results:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Results:\n FAIL\n$l_output2\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh new file mode 100644 index 0000000..d6790ee --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_2.sh new file mode 100644 index 0000000..609985d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41310_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_1.sh new file mode 100644 index 0000000..54445dc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_2.sh new file mode 100644 index 0000000..b33707d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41313_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_1.sh new file mode 100644 index 0000000..eb8d1eb --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_2.sh new file mode 100644 index 0000000..bdd6815 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41314_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_1.sh new file mode 100644 index 0000000..1385dfa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_2.sh new file mode 100644 index 0000000..913e33e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41315_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_1.sh new file mode 100644 index 0000000..e8ac36b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_2.sh new file mode 100644 index 0000000..7346f52 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41316_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_1.sh new file mode 100644 index 0000000..c48d60f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_2.sh new file mode 100644 index 0000000..985ec73 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41317_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_1.sh new file mode 100644 index 0000000..277666e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_2.sh new file mode 100644 index 0000000..c919b9a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41318_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_1.sh new file mode 100644 index 0000000..de470a3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_1.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +{ + awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) &&/ -S/ &&(/init_module/ ||/finit_module/ ||/delete_module/ ||/create_module/ ||/query_module/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/kmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_2.sh new file mode 100644 index 0000000..ea79b76 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_41319_2.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) &&/ -S/ &&(/init_module/ ||/finit_module/ ||/delete_module/ ||/create_module/ ||/query_module/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/kmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_1.sh new file mode 100644 index 0000000..3f96a98 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_1.sh @@ -0,0 +1,5 @@ + #!/usr/bin/env bash + { + SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') + [ -n "${SUDO_LOG_FILE_ESCAPED}" ] && awk "/^ *-w/ \ &&/"${SUDO_LOG_FILE_ESCAPED}"/ &&/ +-p *wa/ \ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n" + } \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_2.sh new file mode 100644 index 0000000..9ce4e29 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4133_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + SUDO_LOG_FILE_ESCAPED=$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g' -e 's|/|\\/|g') + [ -n "${SUDO_LOG_FILE_ESCAPED}" ] && auditctl -l | awk "/^ *-w/ &&/"${SUDO_LOG_FILE_ESCAPED}"/ \ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" \ || printf "ERROR: Variable 'SUDO_LOG_FILE_ESCAPED' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_1.sh new file mode 100644 index 0000000..2cbbce2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_1.sh @@ -0,0 +1,8 @@ + #!/usr/bin/env bash + { + for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n" + done + done + } \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_2.sh new file mode 100644 index 0000000..84c0a97 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4136_2.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +{ + RUNNING=$(auditctl -l) + [ -n "${RUNNING}" ] && for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + printf -- "${RUNNING}" | grep -q "${PRIVILEGED}" && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in running configuration.\n" + done + done || printf "ERROR: Variable 'RUNNING' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_1.sh new file mode 100644 index 0000000..a17f5a1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_1.sh @@ -0,0 +1,5 @@ + #!/usr/bin/env bash + { + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" + } \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_2.sh new file mode 100644 index 0000000..5fd8402 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4137_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_1.sh new file mode 100644 index 0000000..b4e350b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_2.sh new file mode 100644 index 0000000..ae3b0be --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4139_2.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +{ + UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + [ -n "${UID_MIN}" ] && auditctl -l | awk "/^ *-a *always,exit/ &&/ -F *arch=b[2346]{2}/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" || printf "ERROR: Variable 'UID_MIN' is unset.\n" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4141.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4141.sh new file mode 100644 index 0000000..a09342a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4141.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f \( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 -a ! -perm 0640 -a ! -perm 0440 -a ! -perm 0040 \) -exec stat -Lc "%n %#a" {} + +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4142.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4142.sh new file mode 100644 index 0000000..c5c9fd7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4142.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + [ -f /etc/audit/auditd.conf ] && find "$(dirname $(awk -F "=" '/^\s*log_file/ {print $2}' /etc/audit/auditd.conf | xargs))" -type f ! -user root -exec stat -Lc "%n %U" {} + +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4144.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4144.sh new file mode 100644 index 0000000..f409d0a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4144.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + stat -Lc "%n %a" "$(dirname $( awk -F"=" '/^\s*log_file\s*=\s*/ {print $2}' /etc/audit/auditd.conf))" | grep -Pv -- '^\h*\H+\h+([0,5,7][0,5]0)' +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4145.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4145.sh new file mode 100644 index 0000000..edabe95 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_4145.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) -exec stat -Lc "%n %a" {} + | grep -Pv -- '^\h*\H+\h*([0,2,4,6][0,4]0)\h*$' +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_522.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_522.sh new file mode 100644 index 0000000..2c32e60 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_522.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_skgn="ssh_keys" + l_skgid="$(awk -F: '($1 == "'"$l_skgn"'"){print $3}' /etc/group)" [ -n "$l_skgid" ] && l_cga="$l_skgn" || l_cga="root" awk '{print}' <<< "$(find -L /etc/ssh -xdev -type f -exec stat -Lc "%n %#a %U %G %g" {} +)" | (while read -r l_file l_mode l_owner l_group l_gid; do + if file "$l_file" | grep -Pq ':\h+OpenSSH\h+private\h+key\b'; then + [ "$l_gid" = "$l_skgid" ] && l_pmask="0137" || l_pmask="0177" l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )" + if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then + l_output2="$l_output2\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive" + else + l_output="$l_output\n - File: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive" + fi + if [ "$l_owner" != "root" ]; then + l_output2="$l_output2\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\"" + else + l_output="$l_output\n - File: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\"" + fi + if [ "$l_group" != "root" ] && [ "$l_gid" != "$l_skgid" ]; then + l_output2="$l_output2\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\"" + else + l_output="$l_output\n - File: \"$l_file\" is owned by group \"$l_group\" should belong to group \"$l_cga\"" + fi + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n *PASS*\n$l_output" + else + echo -e "\n- Audit Result:\n *FAIL*\n$l_output2\n\n - Correctly set:\n$l_output" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_523.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_523.sh new file mode 100644 index 0000000..f07ec86 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_523.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_pmask="0133" + awk '{print}' <<< "$(find -L /etc/ssh -xdev -type f -exec stat -Lc "%n %#a %U %G" {} +)" | (while read -r l_file l_mode l_owner l_group; do + if file "$l_file" | grep -Pq ':\h+OpenSSH\h+(\H+\h+)?public\h+key\b'; then + l_maxperm="$( printf '%o' $(( 0777 & ~$l_pmask )) )" + if [ $(( $l_mode & $l_pmask )) -gt 0 ]; then + l_output2="$l_output2\n - Public key file: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive" + else + l_output="$l_output\n - Public key file: \"$l_file\" is mode \"$l_mode\" should be mode: \"$l_maxperm\" or more restrictive" + fi + if [ "$l_owner" != "root" ]; then + l_output2="$l_output2\n - Public key file: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\"" + else + l_output="$l_output\n - Public key file: \"$l_file\" is owned by: \"$l_owner\" should be owned by \"root\"" + fi + if [ "$l_group" != "root" ]; then + l_output2="$l_output2\n - Public key file: \"$l_file\" is owned by group \"$l_group\" should belong to group \"root\"\n" + else + l_output="$l_output\n - Public key file: \"$l_file\" is owned by group \"$l_group\" should belong to group \"root\"\n" + fi + fi + done + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n *PASS*\n$l_output" + else + echo -e "\n- Audit Result:\n *FAIL*\n$l_output2\n\n - Correctly set:\n$l_output" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_1.sh new file mode 100644 index 0000000..78f3c11 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + grep PASS_MAX_DAYS /etc/login.defs | cut -d ' ' -f 2 +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_2.sh new file mode 100644 index 0000000..e0f4638 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5611_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_1.sh new file mode 100644 index 0000000..4928e93 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + grep PASS_MIN_DAYS /etc/login.defs | cut -d ' ' -f 2 +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_2.sh new file mode 100644 index 0000000..127acc2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5612_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F : '(/^[^:]+:[^!*]/ && $4 < 1){print $1 " " $4}' /etc/shadow +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_1.sh new file mode 100644 index 0000000..a99e7ce --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + grep PASS_WARN_AGE /etc/login.defs | cut -d ' ' -f 2 +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_2.sh new file mode 100644 index 0000000..6953fe9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5613_2.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +{ + for var in $(grep -E ^[^:]+:[^\!*] /etc/shadow | cut -d: -f6) + do + if [ $var -le 7 ]; then + echo "FAIL" + fi + done +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_1.sh new file mode 100644 index 0000000..4724df0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + useradd -D | grep INACTIVE | cut -d '=' -f 2 +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_2.sh new file mode 100644 index 0000000..191a5eb --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5614_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '/^[^#:]+:[^!\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\s*$/ {print $1":"$7}' /etc/shadow +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5615.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5615.sh new file mode 100644 index 0000000..5faf665 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_5615.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +{ + awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do + change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s); + if [[ "$change" -gt "$(date +%s)" ]]; then + echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\""; + fi; + done +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_1.sh new file mode 100644 index 0000000..ed7fd6f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($1!~/^(root|halt|sync|shutdown|nfsnobody)$/ && ($3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' || $3 == 65534) && $7!~/^(\/usr)?\/sbin\/nologin$/) { print $1 }' /etc/passwd +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_2.sh new file mode 100644 index 0000000..7e58cb5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_562_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '/nologin/ {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_1.sh new file mode 100644 index 0000000..d74ebd9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_1.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +{ + passing="" + grep -Eiq '^\s*UMASK\s+(0[0-7][2-7]7|[0-7][2-7]7)\b' /etc/login.defs && grep -Eqi '^\s*USERGROUPS_ENAB\s*"?no"?\b' /etc/login.defs && grep -Eq '^\s*session\s+(optional|requisite|required)\s+pam_umask\.so\b' /etc/pam.d/common-session && passing=true grep -REiq '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/profile* /etc/bashrc* && passing=true + [ "$passing" = true ] && echo "Default user umask is set" +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_2.sh new file mode 100644 index 0000000..72f6a44 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_565_2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/profile* /etc/bashrc* +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_621.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_621.sh new file mode 100644 index 0000000..8a41221 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_621.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6210.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6210.sh new file mode 100644 index 0000000..f2d2f79 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6210.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +{ + output="" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - All local interactive users have a home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6211.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6211.sh new file mode 100644 index 0000000..ef63bd4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6211.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +{ + output="" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\"" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - All local interactive users have a home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6212.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6212.sh new file mode 100644 index 0000000..cc2aa52 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6212.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + output="" + perm_mask='0027' + maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + mode=$( stat -L -c '%#a' "$home" ) + [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + done + if [ -n "$output" ]; then + echo -e "\n- Failed:$output" + else + echo -e "\n- Passed:\n- All user home directories are mode: \"$maxperm\" or more restrictive" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6213.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6213.sh new file mode 100644 index 0000000..972848b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6213.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +{ + output="" output2="" perm_mask='0177' + maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + if [ -f "$home/.netrc" ]; then mode="$( stat -L -c '%#a' "$home/.netrc" )" + if [ $(( $mode & $perm_mask )) -gt 0 ]; then + output="$output\n - User \"$user\" file: \"$home/.netrc\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + else + output2="$output2\n - User \"$user\" file: \"$home/.netrc\" exists and has file mode: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + fi + fi + done + if [ -z "$output" ]; then + if [ -z "$output2" ]; then + echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n" + else + echo -e "\n- WARNING:\n$output2\n" + fi + else + echo -e "\n- FAILED:\n$output\n" [ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6214.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6214.sh new file mode 100644 index 0000000..8bd3a99 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6214.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + output="" + fname=".forward" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6215.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6215.sh new file mode 100644 index 0000000..1bf982e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6215.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +{ + output="" + fname=".rhosts" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists" + done + if [ -z "$output" ]; then + echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n" + else + echo -e "\n- FAILED:\n$output\n" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6216.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6216.sh new file mode 100644 index 0000000..238eafe --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_6216.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +{ + output="" + perm_mask='0022' + maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + for dfile in $(find "$home" -type f -name '.*'); do + mode=$( stat -L -c '%#a' "$dfile" ) + [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" + done + done + if [ -n "$output" ]; then + echo -e "\n- Failed:$output" + else + echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive" + fi + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_622.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_622.sh new file mode 100644 index 0000000..2e5e69e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_622.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_628.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_628.sh new file mode 100644 index 0000000..3ef3663 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_628.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + RPCV="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)" + echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)" + echo "$RPCV" | grep -q ":$" && echo "root's path contains a trailing (:)" + for x in $(echo "$RPCV" | tr ":" " "); do + if [ -d "$x" ]; then + ls -ldH "$x" | awk '$9 == "." {print "PATH contains current working directory (.)"} + $3 != "root" {print $9, "is not owned by root"} + substr($1,6,1) != "-" {print $9, "is group writable"} + substr($1,9,1) != "-" {print $9, "is world writable"}' + else + echo "$x is not a directory" + fi + done +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_629.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_629.sh new file mode 100644 index 0000000..14b6a5b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9/CIS100_RHEL9_629.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($3 == 0) { print $1 }' /etc/passwd +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.2.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.2.1.2.sh new file mode 100644 index 0000000..9eeadde --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.2.1.2.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/dnf/dnf.conf" +# Pattern to search for +PATTERN="gpgcheck" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\s*=" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\s*=" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of gpgcheck using grep and sed + VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*(true|yes|[0-9]+)" "$FILE" | sed -E 's/.*=\s*(true|yes|[0-9]+).*/\1/') + + # If the value was found and it's valid (true, yes, or 1) + if [[ "$VALUE" == "true" || "$VALUE" == "yes" || "$VALUE" == "1" ]]; then + echo "The value of $PATTERN ($VALUE) is valid." + exit 0 + else + echo "The value of $PATTERN ($VALUE) is not valid." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.2.sh new file mode 100644 index 0000000..4f6f2e0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.2.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +if grubby --info=ALL | grep -Pq '(selinux|enforcing)=0\b'; then + exit 1 +else + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.3.sh new file mode 100644 index 0000000..c8153f8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.3.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +if grep -Eq '^\s*SELINUXTYPE=(targeted|mls)\b' /etc/selinux/config; then + echo "SELinux-Type is configured correctly" + exit 0 +else + echo "ERROR: SELinux-Type not configured" + exit 1 +fi + +if sestatus | grep -q "Loaded policy name: targeted"; then + echo "Policy is'targeted'" + exit 0 +elif sestatus | grep -q "Loaded policy name: mls"; then + echo "ERROR: Policy is 'mls'" + exit 1 +else + echo "ERROR: policy should be 'targeted'" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.5.sh new file mode 100644 index 0000000..d01b813 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.3.1.5.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +if grep -i SELINUX=enforcing /etc/selinux/config; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.3.sh new file mode 100644 index 0000000..20b1d2c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.3.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +for file in /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf; do + [ -e "$file" ] || continue + + if grep -Eq '^\s*ProcessSizeMax=0' "$file"; then + exit 0 + fi + +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.4.sh new file mode 100644 index 0000000..633b85c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.5.4.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +for file in /etc/systemd/coredump.conf /etc/systemd/coredump.conf.d/*.conf; do + [ -e "$file" ] || continue + + if grep -Eq '^\s*Storage=none' "$file"; then + exit 0 + fi + +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.1.sh new file mode 100644 index 0000000..a778f03 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.1.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +grep -q "^1$" /proc/sys/crypto/fips_enabled && exit 0 +grep -q "^LEGACY$" /etc/crypto-policies/config && exit 1 || exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.2.sh new file mode 100644 index 0000000..b5f9bff --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.6.2.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +if [[ -f /etc/sysconfig/sshd ]]; then + if grep -Pi '^\s*CRYPTO_POLICY\s*=' /etc/sysconfig/sshd; then + echo "CRYPTO_POLICY ist set" + exit 1 + else + echo "CRYPTO_POLICY is not set" + fi +else + echo "file /etc/sysconfig/sshd does not exist" +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.1.sh new file mode 100644 index 0000000..373e1cc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.1.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Extract the OS ID from /etc/os-release +OS_ID=$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g') + +# Run the grep command with the OS ID incorporated +grep -Eis "(\\v|\\r|\\m|\\s|$OS_ID)" /etc/motd + +# Check the exit code of the grep command +if [ $? -ne 0 ]; then + # Grep did not find any matches, return 0 + exit 0 +else + # Grep found matches, return 1 + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.4.sh new file mode 100644 index 0000000..a2766e2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.7.4.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +TEST_FILE="/etc/motd" +if [ -e "$TEST_FILE" ]; then + DESIRED_PERM="644" + ACTUAL_PERM=$(stat -c "%a" "$TEST_FILE") + if [[ "$ACTUAL_PERM" == "$DESIRED_PERM" ]]; then + exit 0 + else + exit 1 + fi +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.10.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.10.sh new file mode 100644 index 0000000..d21b15d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.10.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +config_file="/etc/gdm/custom.conf" + +if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then + exit 0 +fi + +value="Enable" + +if grep -Eq "^\s*$value\s*=\s*true\s*$" "$config_file"; then + echo -e " \"$value\" in $config_file is true" + exit 1 +else + echo -e "\"$value\" not found or not set " +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.2.sh new file mode 100644 index 0000000..3621d88 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.2.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + echo -e "$l_pkgoutput" + l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)" + if [ -n "$l_gdmfile" ]; then + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")" + if grep -Pisq '^\h*banner-message-enable=true\b' "$l_gdmfile"; then + l_output="$l_output\n - The \"banner-message-enable\" option is enabled in \"$l_gdmfile\"" + else + l_output2="$l_output2\n - The \"banner-message-enable\" option is not enabled" + fi + l_lsbt="$(grep -Pios '^\h*banner-message-text=.*$' "$l_gdmfile")" + if [ -n "$l_lsbt" ]; then + l_output="$l_output\n - The \"banner-message-text\" option is set in \"$l_gdmfile\"\n - banner-message-text is set to:\n - \"$l_lsbt\"" + else + l_output2="$l_output2\n - The \"banner-message-text\" option is not set" + fi + if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + l_output="$l_output\n - The \"$l_gdmprofile\" profile exists in the dconf database" + else + l_output2="$l_output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"banner-message-enable\" option isn't configured" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n *PASS*\n" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.3.sh new file mode 100644 index 0000000..eb44b86 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.3.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + output="" output2="" + l_gdmfile="$(grep -Pril '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db)" + if [ -n "$l_gdmfile" ]; then + output="$output\n - The \"disable-user-list\" option is enabled in \"$l_gdmfile\"" + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_gdmfile")" + if grep -Pq "^\h*system-db:$l_gdmprofile" /etc/dconf/profile/"$l_gdmprofile"; then + output="$output\n - The \"$l_gdmprofile\" exists" + else + output2="$output2\n - The \"$l_gdmprofile\" doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_gdmprofile" ]; then + output="$output\n - The \"$l_gdmprofile\" profile exists in the dconf database" + else + output2="$output2\n - The \"$l_gdmprofile\" profile doesn't exist in the dconf database" + fi + else + output2="$output2\n - The \"disable-user-list\" option is not enabled" + fi + if [ -z "$output2" ]; then + echo -e "$l_pkgoutput\n- Audit result:\n PASS:\n$output\n" + else + echo -e "$l_pkgoutput\n- Audit Result:\n FAIL:\n$output2\n" + [ -n "$output" ] && echo -e "$output\n" + fi + else + echo -e "\n\n - GNOME Desktop Manager isn't installed\n - Recommendation is Not Applicable\n- Audit result:\n PASS\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.4.sh new file mode 100644 index 0000000..874abc5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.4.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" l_idmv="900" + l_ldmv="5" + l_kfile="$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/)" + if [ -n "$l_kfile" ]; then + l_profile="$(awk -F'/' '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + l_pdbdir="/etc/dconf/db/$l_profile.d" + l_idv="$(awk -F 'uint32' '/idle-delay/{print $2}' "$l_kfile" | xargs)" + if [ -n "$l_idv" ]; then + [ "$l_idv" -gt "0" -a "$l_idv" -le "$l_idmv" ] && l_output="$l_output\n - The \"idle-delay\" option is set to \"$l_idv\" seconds in \"$l_kfile\"" [ "$l_idv" = "0" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" (disabled) in \"$l_kfile\"" [ "$l_idv" -gt "$l_idmv" ] && l_output2="$l_output2\n - The \"idle-delay\" option is set to \"$l_idv\" seconds (greater than $l_idmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"idle-delay\" option is not set in \"$l_kfile\"" + fi + l_ldv="$(awk -F 'uint32' '/lock-delay/{print $2}' "$l_kfile" | xargs)" + if [ -n "$l_ldv" ]; then + [ "$l_ldv" -ge "0" -a "$l_ldv" -le "$l_ldmv" ] && l_output="$l_output\n - The \"lock-delay\" option is set to \"$l_ldv\"seconds in \"$l_kfile\"" [ "$l_ldv" -gt "$l_ldmv" ] && l_output2="$l_output2\n - The \"lock-delay\" option is set to \"$l_ldv\" seconds (greater than $l_ldmv) in \"$l_kfile\"" + else + l_output2="$l_output2\n - The \"lock-delay\" option is not set in \"$l_kfile\"" + fi + if grep -Psq "^\h*system-db:$l_profile" /etc/dconf/profile/*; then + l_output="$l_output\n - The \"$l_profile\" profile exists" + else + l_output2="$l_output2\n - The \"$l_profile\" doesn't exist" + fi + if [ -f "/etc/dconf/db/$l_profile" ]; then + l_output="$l_output\n - The \"$l_profile\" profile exists in the dconf database" + else + l_output2="$l_output2\n - The \"$l_profile\" profile doesn't exist in the dconf database" + fi + else + l_output2="$l_output2\n - The \"idle-delay\" option doesn't exist, remaining tests skipped" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.5.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.5.sh new file mode 100644 index 0000000..72282d3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.5.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Prilq '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then + l_output="$l_output\n - \"idle-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"idle-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"idle-delay\" is not set so it can not be locked" + fi + if [ -d "$l_kfd2" ]; then + if grep -Prilq '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then + l_output="$l_output\n - \"lock-delay\" is locked in \"$(grep -Pril '\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\"" + else + l_output2="$l_output2\n - \"lock-delay\" is not locked" + fi + else + l_output2="$l_output2\n - \"lock-delay\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.6.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.6.sh new file mode 100644 index 0000000..3ed9317 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.6.sh @@ -0,0 +1,61 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + l_kfile="$(grep -Prils -- '^\h*automount\b' /etc/dconf/db/*.d)" + l_kfile2="$(grep -Prils -- '^\h*automount-open\b' /etc/dconf/db/*.d)" + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + elif [ -f "$l_kfile2" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile2")" + fi + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist" + fi + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist" + fi + if grep -Pqrs -- '^\h*automount\h*=\h*false\b' "$l_kfile"; then + l_output="$l_output\n - \"automount\" is set to false in: \"$l_kfile\"" + else + l_output2="$l_output2\n - \"automount\" is not set correctly" + fi + if grep -Pqs -- '^\h*automount-open\h*=\h*false\b' "$l_kfile2"; then + l_output="$l_output\n - \"automount-open\" is set to false in: \"$l_kfile2\"" + else + l_output2="$l_output2\n - \"automount-open\" is not set correctly" + fi + else + l_output2="$l_output2\n - neither \"automount\" or \"automount-open\" is set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.7.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.7.sh new file mode 100644 index 0000000..f6e7c9e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.7.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd"; then + l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"automount\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount\" is not set so it can not be locked" + fi + if [ -d "$l_kfd2" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2"; then + l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep -Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' "$l_kfd2")\"" + else + l_output2="$l_output2\n - \"automount-open\" is not locked" + fi + else + l_output2="$l_output2\n - \"automount-open\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.8.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.8.sh new file mode 100644 index 0000000..f11261a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.8.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" l_output="" l_output2="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" echo -e "$l_pkgoutput" + done + if [ -n "$l_pkgoutput" ]; then + echo -e "$l_pkgoutput" + l_kfile="$(grep -Prils -- '^\h*autorun-never\b' /etc/dconf/db/*.d)" + if [ -f "$l_kfile" ]; then + l_gpname="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<< "$l_kfile")" + fi + if [ -n "$l_gpname" ]; then + l_gpdir="/etc/dconf/db/$l_gpname.d" + if grep -Pq -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*; then + l_output="$l_output\n - dconf database profile file \"$(grep -Pl -- "^\h*system-db:$l_gpname\b" /etc/dconf/profile/*)\" exists" + else + l_output2="$l_output2\n - dconf database profile isn't set" + fi + if [ -f "/etc/dconf/db/$l_gpname" ]; then + l_output="$l_output\n - The dconf database \"$l_gpname\" exists" + else + l_output2="$l_output2\n - The dconf database \"$l_gpname\" doesn't exist" + fi + if [ -d "$l_gpdir" ]; then + l_output="$l_output\n - The dconf directory \"$l_gpdir\" exitst" + else + l_output2="$l_output2\n - The dconf directory \"$l_gpdir\" doesn't exist" + fi + if grep -Pqrs -- '^\h*autorun-never\h*=\h*true\b' "$l_kfile"; then + l_output="$l_output\n - \"autorun-never\" is set to true in: \"$l_kfile\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not set correctly" + fi + else + l_output2="$l_output2\n - \"autorun-never\" is not set" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.9.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.9.sh new file mode 100644 index 0000000..4fbf6d3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/1.8.9.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +{ + l_pkgoutput="" + if command -v dpkg-query > /dev/null 2>&1; then + l_pq="dpkg-query -W" + elif + command -v rpm > /dev/null 2>&1; then + l_pq="rpm -q" + fi + l_pcl="gdm gdm3" + for l_pn in $l_pcl; do + $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - Package: \"$l_pn\" exists on the system\n - checking configuration" + done + if [ -n "$l_pkgoutput" ]; then + l_output="" l_output2="" + l_kfd="/etc/dconf/db/$(grep -Psril '^\h*autorun-never\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + if [ -d "$l_kfd" ]; then + if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd"; then + l_output="$l_output\n - \"autorun-never\" is locked in \"$(grep -Pil '^\h*\/org/gnome\/desktop\/media-handling\/autorun-never\b' "$l_kfd")\"" + else + l_output2="$l_output2\n - \"autorun-never\" is not locked" + fi + else + l_output2="$l_output2\n - \"autorun-never\" is not set so it can not be locked" + fi + else + l_output="$l_output\n - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + fi + [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.3.3.sh new file mode 100644 index 0000000..00f5eaf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.3.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +config_file="/etc/sysconfig/chronyd" + +if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then + echo "Configuration file '$config_file' is missing or not readable. Exiting." + exit 1 +fi + +regex_pattern="^\s*OPTIONS=\s*([^#\n\r]+\s+)?-u\s+root\b" +value="-u\s+root\b" +if grep -Eq "$regex_pattern" "$config_file"; then + echo " \"$value\" in $config_file is found" + exit 1 +else + echo "\"$value\" not found or not set " +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.4.18.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.4.18.sh new file mode 100644 index 0000000..4692a30 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/2.4.18.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Define the files to check +FILES=("/etc/cron.allow" "/etc/cron.deny") + +# Function to check a file +check_file() { + local file=$1 + + # Check if the file exists + if [ ! -e "$file" ]; then + echo "File $file does not exist. Ignoring." + return 0 + fi + + # Get the file permissions in numeric format + local permissions=$(stat -c "%a" "$file") + local owner=$(stat -c "%U" "$file") + local group=$(stat -c "%G" "$file") + + # Check if the file permissions are 0640 or more restrictive + if [ "$permissions" -gt 640 ]; then + echo "File $file permissions are not 0640 or more restrictive." + return 1 + fi + + # Check if the owner is root and group is root + if [ "$owner" != "root" ] || [ "$group" != "root" ]; then + echo "File $file owner or group is not root." + return 1 + fi + + return 0 +} + +# Check each file +for file in "${FILES[@]}"; do + if ! check_file "$file"; then + exit 1 + fi +done + +# If all checks pass, exit with status 0 +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/3.1.3.sh new file mode 100644 index 0000000..4f2772c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/3.1.3.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_mname="tipc" + if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi + else + l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" + fi + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Result:\n FAIL\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/4.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/4.1.2.sh new file mode 100644 index 0000000..b8f0893 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/4.1.2.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +{ + l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status="" + rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)" + rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)" + l_fwutil_status="$l_fwd_status:$l_nft_status" + case $l_fwutil_status in + enabled:active:masked:inactive|enabled:active:disabled:inactive) + l_output="\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive" ;; + masked:inactive:enabled:active|disabled:inactive:enabled:active) + l_output="\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive" ;; + enabled:active:enabled:active) + l_output2="\n - Both FirewallD and NFTables utilities are enabled and active" ;; + enabled:*:enabled:*) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;; + *:active:*:active) l_output2="\n - Both FirewallD and NFTables utilities are enabled" ;; + :enabled:active) l_output="\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed" ;; + :) l_output2="\n - Neither FirewallD or NFTables is installed." ;; + *:*:) l_output2="\n - NFTables package is not installed on the system" ;; + *) l_output2="\n - Unable to determine firewall state" ;; + esac + if [ -z "$l_output2" ]; then + echo -e "\n- Audit Results:\n PASS\n$l_output\n" + else + echo -e "\n- Audit Results:\n FAIL\n$l_output2\n" + fi +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.10.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.10.sh new file mode 100644 index 0000000..89ecb6c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.10.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=disableforwarding +parameter_sshd_config=DisableForwarding +desired_value=yes + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.11.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.11.sh new file mode 100644 index 0000000..49ee504 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.11.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=gssapiauthentication +parameter_sshd_config=GSSAPIAuthentication +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.12.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.12.sh new file mode 100644 index 0000000..40eb8e2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.12.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +parameter_sshd_t=hostbasedauthentication +parameter_sshd_config=HostbasedAuthentication +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.13.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.13.sh new file mode 100644 index 0000000..44c53ba --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.13.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=ignorerhosts +parameter_sshd_config=IgnoreRhosts +desired_value=yes + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=no + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.14.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.14.sh new file mode 100644 index 0000000..55f58f2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.14.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +#test +parameter_sshd_t=logingracetime +parameter_sshd_config=LoginGraceTime +desired_value=60 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=120 + fi +fi + +if [ "$actual_value" -le "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.15.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.15.sh new file mode 100644 index 0000000..90d49f0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.15.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +parameter_sshd_t=loglevel +parameter_sshd_config=LogLevel +desired_value=INFO +desired_value1=VERBOSE + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=INFO + fi +fi + +if [ "$actual_value" = "$desired_value" ] || [ "$actual_value" = "$desired_value1" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.17.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.17.sh new file mode 100644 index 0000000..e1d2b8d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.17.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +parameter_sshd_t=maxstartups +parameter_sshd_config=MaxStartups +desired_value="10:30:60" + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -Ei "^$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep -E "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.18.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.18.sh new file mode 100644 index 0000000..9d1ac4d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.18.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +parameter_sshd_t=maxsessions +parameter_sshd_config=MaxSessions +FILE="/etc/ssh/sshd_config" +desired_value=10 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + fi +fi + +if [ "$actual_value" -le "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.9.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.9.sh new file mode 100644 index 0000000..c1284aa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.1.9.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +parameter_sshd_t=clientaliveinterval +parameter_sshd_config=ClientAliveInterval +desired_value=15 + +parameter_sshd_t1=clientalivecountmax +parameter_sshd_config1=ClientAliveCountMax +desired_value1=3 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') +actual_value1=$(sshd -T | grep -i "$parameter_sshd_t1" | awk '{print $2}') + +if [ -z "$actual_value" ] && [ -z "$actual_value1" ]; then + if (grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config) && (grep -iq '^$parameter_sshd_config1' /etc/ssh/sshd_config); then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + actual_value1=$(grep -i '^$parameter_sshd_config1' /etc/ssh/sshd_config | awk '{print $2}') + + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" -eq "$desired_value" ] && [ "$actual_value1" -eq "$desired_value1" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.2.sh new file mode 100644 index 0000000..4fe362e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.2.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Check if authselect.conf exists +if [[ ! -f /etc/authselect/authselect.conf ]]; then + echo "/etc/authselect/authselect.conf is missing." + exit 1 +fi + +l_module_name="faillock" +l_pam_profile="$(head -1 /etc/authselect/authselect.conf)" + +if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then + l_pam_profile_path="/etc/authselect/$l_pam_profile" +else + l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile" +fi + +for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do + if [[ ! -f "$file" ]]; then + echo "File $file does not exist. Test failed." + exit 1 + fi + + if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then + echo "pam_faillock.so entry not found in $file. Test failed." + exit 1 + else + echo "pam_faillock.so entry found in $file." + fi + + if ! grep -P -- "\{include if \"with-faillock\"\}" "$file" >/dev/null; then + echo "Entry '{include if \"with-faillock\"}' not found in $file. Test failed." + exit 1 + else + echo "Entry '{include if \"with-faillock\"}' found in $file. Test passed." + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.3.sh new file mode 100644 index 0000000..d2298f0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.3.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +# Check if /etc/authselect/authselect.conf exists +if [[ ! -f /etc/authselect/authselect.conf ]]; then + echo "/etc/authselect/authselect.conf is missing." + exit 1 +fi + +l_module_name="unix" +l_pam_profile="$(head -1 /etc/authselect/authselect.conf)" + +if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then + l_pam_profile_path="/etc/authselect/$l_pam_profile" +else + l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile" +fi + +for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do + if [[ ! -f "$file" ]]; then + echo "File $file does not exist. Test failed." + exit 1 + fi + + if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then + echo "pam_unix.so entry not found in $file. Test failed." + exit 1 + else + echo "pam_unix.so entry found in $file. Test passed." + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.4.sh new file mode 100644 index 0000000..e9278ab --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.4.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash + +# Check if authselect.conf exists +if [[ ! -f /etc/authselect/authselect.conf ]]; then + echo "/etc/authselect/authselect.conf is missing." + exit 1 +fi + +l_module_name="pwhistory" +l_pam_profile="$(head -1 /etc/authselect/authselect.conf)" + +# Check if authselect.conf exists +if [[ ! -f /etc/authselect/authselect.conf ]]; then + echo "/etc/authselect/authselect.conf is missing." + exit 0 +fi + +if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then + l_pam_profile_path="/etc/authselect/$l_pam_profile" +else + l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile" +fi + +for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do + if [[ ! -f "$file" ]]; then + echo "File $file does not exist. Test failed." + exit 1 + fi + + if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then + echo "pam_pwhistory.so entry not found in $file. Test failed." + exit 1 + else + echo "pam_pwhistory.so entry found in $file." + fi + + if ! grep -P -- "\{include if \"with-pwhistory\"\}" "$file" >/dev/null; then + echo "Entry '{include if \"with-pwhistory\"}' not found in $file. Test failed." + exit 1 + else + echo "Entry '{include if \"with-pwhistory\"}' found in $file. Test passed." + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.5.sh new file mode 100644 index 0000000..d6b0db9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.2.5.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +# Check if authselect.conf exists +if [[ ! -f /etc/authselect/authselect.conf ]]; then + echo "/etc/authselect/authselect.conf is missing." + exit 1 +fi + +l_module_name="unix" +l_pam_profile="$(head -1 /etc/authselect/authselect.conf)" + +if grep -Pq -- '^custom\/' <<<"$l_pam_profile"; then + l_pam_profile_path="/etc/authselect/$l_pam_profile" +else + l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile" +fi + +for file in "$l_pam_profile_path/password-auth" "$l_pam_profile_path/system-auth"; do + if [[ ! -f "$file" ]]; then + echo "File $file does not exist. Test failed." + exit 1 + fi + if ! grep -P -- "\bpam_$l_module_name\.so\b" "$file" >/dev/null; then + echo "pam_unix.so entry not found in $file. Test failed." + exit 1 + else + echo "pam_unix.so entry found in $file. Test passed." + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.2.7.sh new file mode 100644 index 0000000..ed6605d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.2.7.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# File configuration +FILE="/etc/security/pwquality.conf" +# what we look for +PATTERN="enforce_for_root" + +# Check if the file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE wa not found." + exit 1 +fi + +# Search for the pattern, regardless of its case, even if it is commented out +grep -Ei "^[[:space:]]*#?[[:space:]]*$PATTERN" "$FILE" >/dev/null +FOUND=$? + +# if the pattern is found +if [ $FOUND -eq 0 ]; then + # check if it is commented + grep -Ei "^[[:space:]]*#[[:space:]]*$PATTERN" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + exit 1 + fi + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.1.sh new file mode 100644 index 0000000..ba6dc49 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.1.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +pw_file="/etc/security/pwhistory.conf" +value="remember" +regex_pattern="^\s*${value}\s*=\s*[0-9]+\s*$" +expected_value=24 +if grep -Eq "$regex_pattern" "$pw_file"; then + current_value=$(grep -Eo "$regex_pattern" "$pw_file" | awk -F'=' '{print $2}' | tr -d ' ') + if ((current_value < expected_value)); then + echo "ERROR: $value = $current_value < $expected_value" + exit 1 + else + echo "$value = $current_value > $expected_value" + exit 0 + fi +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.2.sh new file mode 100644 index 0000000..b90f820 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.3.2.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +pw_file="/etc/security/pwhistory.conf" + +value="enfore_for_root" + +regex_pattern="^\s*#*\s*${value}\s*" + +if grep -Eq "^\s*${value}\s*$" "$pw_file"; then + echo "$value is correctly set." + exit 0 +else + echo "ERROR: $value is either missing or commented out." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.2.sh new file mode 100644 index 0000000..c634d6a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.2.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +if [[ ! -d "/etc/authselect" && ! -d "/usr/share/authselect" ]]; then + echo "Authselect is not installed. Exiting." + exit 1 +fi + +pam_profile="$(head -1 /etc/authselect/authselect.conf 2>/dev/null || echo "default")" + +if [[ "$pam_profile" =~ ^custom/ ]]; then + pam_profile_path="/etc/authselect/$pam_profile" +else + pam_profile_path="/usr/share/authselect/default/$pam_profile" +fi + +for auth_file in "$pam_profile_path"/{password-auth,system-auth}; do + if grep -Eq '^\s*password\s+([^#\n\r]+\s+)?pam_unix\.so\b' $auth_file | grep -Pv '\bremember=\d\b'; then + echo "- \"remember\" is set in $auth_file" + exit 1 + else + echo "- \"remember\" is not set in $auth_file" + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.3.sh new file mode 100644 index 0000000..87954a6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.3.3.4.3.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +config_file="/etc/authselect/authselect.conf" +if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then + echo "Configuration file '$config_file' is missing or not readable. Exiting." + exit 1 +fi + +if command -v authselect &>/dev/null; then + pam_profile="$(head -1 /etc/authselect/authselect.conf 2>/dev/null || echo "default")" + + if [[ "$pam_profile" =~ ^custom/ ]]; then + pam_profile_path="/etc/authselect/$pam_profile" + else + pam_profile_path="/usr/share/authselect/default/$pam_profile" + fi +else + pam_profile_path="/etc/pam.d" +fi + +for auth_file in "$pam_profile_path"/{password-auth,system-auth}; do + if grep -Eq '^\s*password\s+[^#]*pam_unix\.so\s+.*(sha512|yescrypt)\b' $auth_file; then + echo "- strong password hashing algorithm is set in $auth_file" + else + echo "- strong password hashing algorithm is not set in $auth_file" + exit 1 + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.1.6.sh new file mode 100644 index 0000000..5faf665 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.1.6.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +{ + awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do + change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s); + if [[ "$change" -gt "$(date +%s)" ]]; then + echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\""; + fi; + done +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.1.sh new file mode 100644 index 0000000..14b6a5b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($3 == 0) { print $1 }' /etc/passwd +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.5.sh new file mode 100644 index 0000000..3ef3663 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/5.4.2.5.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +{ + RPCV="$(sudo -Hiu root env | grep '^PATH' | cut -d= -f2)" + echo "$RPCV" | grep -q "::" && echo "root's path contains a empty directory (::)" + echo "$RPCV" | grep -q ":$" && echo "root's path contains a trailing (:)" + for x in $(echo "$RPCV" | tr ":" " "); do + if [ -d "$x" ]; then + ls -ldH "$x" | awk '$9 == "." {print "PATH contains current working directory (.)"} + $3 != "root" {print $9, "is not owned by root"} + substr($1,6,1) != "-" {print $9, "is group writable"} + substr($1,9,1) != "-" {print $9, "is world writable"}' + else + echo "$x is not a directory" + fi + done +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.1.4.sh new file mode 100644 index 0000000..527ebb6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.1.4.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +socket_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.socket' && echo true || echo false) +service_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.service' && echo true || echo false) + +if [[ "$socket_installed" == "false" && "$service_installed" == "false" ]]; then + exit 0 # True if neither is installed +elif [[ "$socket_installed" == "true" && "$(systemctl is-active systemd-journal-remote.socket)" =~ ^(inactive|failed)$ ]] && + [[ "$service_installed" == "true" && "$(systemctl is-active systemd-journal-remote.service)" =~ ^(inactive|failed)$ ]]; then + exit 0 # True if both are not active (including failed) +else + exit 1 # False otherwise +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.2.sh new file mode 100644 index 0000000..375bb76 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.2.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*ForwardToSyslog\s*=\s*no" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.3.sh new file mode 100644 index 0000000..ac47dad --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.3.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*Compress\s*=\s*yes" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.4.sh new file mode 100644 index 0000000..d2f60bc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.2.4.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*Storage\s*=\s*persistent" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.4.sh new file mode 100644 index 0000000..3fbba0a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.4.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +config_files=("/etc/rsyslog.conf" "/etc/rsyslog.d/*.conf") +expected_value=0640 + +for file in ${config_files[@]}; do + for i in $file; do + if grep -qE '^\s*\$FileCreateMode' "$i" 2>/dev/null; then + chosen_file=$i + fi + done +done +if [[ -n $chosen_file ]]; then + current_value=$(grep -E '^\s*\$FileCreateMode' "$chosen_file" | sed -E 's/^\s*\$FileCreateMode\s+//') + if [[ -n $current_value && $current_value -le $expected_value ]]; then + echo "FileCreateMode is restricted enough" + exit 0 + else + echo "FileCreateMode is not restricted enough" + exit 1 + fi +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.7.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.7.sh new file mode 100644 index 0000000..31d3bee --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.2.3.7.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +config_files=("/etc/rsyslog.conf" "/etc/rsyslog.d/*.conf") + +for file in "${config_files[@]}"; do + for i in $file; do + if [[ -f $i ]]; then + if grep -qoE '^\s*module\(load="imtcp"\)' "$i" 2>/dev/null; then + exit 1 + fi + if grep -qoE '^\s*input\(type="imtcp"\s+port="[0-9]+"\)' "$i" 2>/dev/null; then + exit 1 + fi + if grep -qoE '^\s*\$ModLoad\s+imtcp' "$i" 2>/dev/null; then + exit 1 + fi + if grep -qoE '^\s*\$InputTCPServerRun' "$i" 2>/dev/null; then + exit 1 + fi + fi + done +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.2.sh new file mode 100644 index 0000000..7b3479d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.2.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +GRUB_CFG="/etc/default/grub" + +if [[ ! -f "$GRUB_CFG" ]]; then + echo "Error: $GRUB_CFG does not exist." + exit 1 +fi +if grep -q "audit=1" "$GRUB_CFG"; then + echo "Found 'audit=1' in $GRUB_CFG." + exit 0 +else + echo "'audit=1' not found in $GRUB_CFG." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.3.sh new file mode 100644 index 0000000..158b8cc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.1.3.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +GRUB_CFG="/etc/default/grub" + +if [[ ! -f "$GRUB_CFG" ]]; then + echo "Error: $GRUB_CFG does not exist." + exit 1 +fi +if grep -q "audit_backlog_limit" "$GRUB_CFG"; then + echo "Found 'audit_backlog_limit=1' in $GRUB_CFG." + exit 0 +else + echo "'audit_backlog_limit=1' not found in $GRUB_CFG." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.1.sh new file mode 100644 index 0000000..dc826da --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.1.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +perm_mask="0027" +if [ -e "/etc/audit/auditd.conf" ]; then + log_dir="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + if [ -d "$log_dir" ]; then + maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" + log_dir_mode="$(stat -Lc '%#a' "$log_dir")" + if [ $(($log_dir_mode & $perm_mask)) -gt 0 ]; then + exit 1 + fi + else + exit 1 + fi +else + exit 1 +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.2.sh new file mode 100644 index 0000000..a8027ab --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.2.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +l_perm_mask="0137" +if [ -e "/etc/audit/auditd.conf" ]; then + # Extract the log directory from the configuration file + l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + + if [ -d "$l_audit_log_directory" ]; then + l_maxperm="$(printf '%o' $((0777 & ~$l_perm_mask)))" + + # Find files matching the permission mask and process them line by line + while IFS= read -r l_file; do + # Ensure the file exists and get its mode + if [ -e "$l_file" ]; then + l_file_mode="$(stat -Lc '%#a' "$l_file")" + exit 1 + fi + done < <(find "$l_audit_log_directory" -maxdepth 1 -type f -perm /"$l_perm_mask") + + # Check if any files were processed + if [ $? -eq 0 ]; then + exit 0 + fi + else + exit 0 + fi +else + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.3.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.3.sh new file mode 100644 index 0000000..9bf99dc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.3.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +l_output="" l_output2="" +if [ -e "/etc/audit/auditd.conf" ]; then + l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + if [ -d "$l_audit_log_directory" ]; then + while IFS= read -r l_file; do + l_output2="$l_output2\n - File: \"$l_file\" is owned by user: \"$(stat -Lc '%U' "$l_file")\"\n (should be owned by user: \"root\")\n" + done < <(find "$l_audit_log_directory" -maxdepth 1 -type f ! -user root) + else + l_output2="$l_output2\n - Log file directory not set in \"/etc/audit/auditd.conf\" please set log file directory" + fi +else + l_output2="$l_output2\n - File: \"/etc/audit/auditd.conf\" not found.\n - ** Verify auditd is installed **" +fi +if [ -z "$l_output2" ]; then + l_output="$l_output\n - All files in \"$l_audit_log_directory\" are owned by user: \"root\"\n" + echo -e "\n- Audit Result:\n ** PASS **\n - * Correctly configured * :$l_output" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - * Reasons for auditgfailure * :$l_output2\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.4.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.4.sh new file mode 100644 index 0000000..b5e03bd --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/6.3.4.4.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +audit_conf="/etc/audit/auditd.conf" +perm_mask="0177" +if [ ! -f "$audit_conf" ]; then + exit 1 +fi +audit_log_dir=$(grep -E '^\s*log_file\s*=' "$audit_conf" | cut -d= -f2 | xargs dirname 2>/dev/null) +if [ -z "$audit_log_dir" ]; then + exit 1 +fi +audit_log_group=$(grep -E '^\s*log_group\s*=' "$audit_conf" | cut -d= -f2 | xargs) +if [ -z "$audit_log_group" ]; then + exit 1 +fi +if [ ! -d "$audit_log_dir" ]; then + exit 1 +fi +for file in "$audit_log_dir"/*; do + if [ -f "$file" ]; then + group=$(ls -l "$file" | awk '{print $4}') + if [[ "$group" != "root" && "$group" != "adm" ]]; then + exit 1 + fi + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.1.sh new file mode 100644 index 0000000..8a41221 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.1.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.2.sh new file mode 100644 index 0000000..2e5e69e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/RHEL9_CIS2.0.0/7.2.2.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +{ + awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow +} \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh new file mode 100644 index 0000000..9e530cc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-1.8.1.3.sh @@ -0,0 +1,2 @@ +#!/bin/bash +grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh new file mode 100644 index 0000000..47785d8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh new file mode 100644 index 0000000..af16149 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.2_2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh new file mode 100644 index 0000000..21cdbfc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-5.4.4.sh @@ -0,0 +1,4 @@ +#!/bin/bash +for f in /etc/profile.d/*.sh ; do + grep -Eq '(^|^[^#]*;)\s*(readonly|export(\s+[^$#;]+\s*)*)?\s*TMOUT=(900|[1-8][0-9][0-9]|[1-9][0-9]|[1-9])\b' $f && grep -Eq '(^|^[^#]*;)\s*readonly\s+TMOUT\b' $f && grep -Eq '(^|^[^#]*;)\s*export\s+([^$#;]+\s+)*TMOUT\b' $f && echo "TMOUT correctly configured in file: $f"; +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh new file mode 100644 index 0000000..38c459d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh new file mode 100644 index 0000000..bbd8860 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.10.sh @@ -0,0 +1,10 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh new file mode 100644 index 0000000..118123e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.11.sh @@ -0,0 +1,30 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c5) != "-" ]; then + echo "Group Read set on $file" + fi + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write set on $file" + fi + if [ $(echo $fileperm | cut -c7) != "-" ]; then + echo "Group Execute set on $file" + fi + if [ $(echo $fileperm | cut -c8) != "-" ]; then + echo "Other Read set on $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write set on $file" + fi + if [ $(echo $fileperm | cut -c10) != "-" ]; then + echo "Other Execute set on $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh new file mode 100644 index 0000000..685a0d0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.12.sh @@ -0,0 +1,12 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -e "$file" ]; then + echo ".rhosts file in $dir" + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh new file mode 100644 index 0000000..810e325 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_1.sh @@ -0,0 +1,2 @@ +#!/bin/bash +grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh new file mode 100644 index 0000000..ab4d48a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.18_2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($4 == "") { print }' /etc/passwd \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh new file mode 100644 index 0000000..5e6b3c3 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.2.sh @@ -0,0 +1,2 @@ +#!/bin/bash +awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh new file mode 100644 index 0000000..ef0dc08 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.5.sh @@ -0,0 +1,6 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read -r user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh new file mode 100644 index 0000000..9d14223 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.6.sh @@ -0,0 +1,20 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + dirperm=$(ls -ld $dir | cut -f1 -d" ") + if [ $(echo $dirperm | cut -c6) != "-" ]; then + echo "Group Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c8) != "-" ]; then + echo "Other Read permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c9) != "-" ]; then + echo "Other Write permission set on the home directory ($dir) of user $user" + fi + if [ $(echo $dirperm | cut -c10) != "-" ]; then + echo "Other Execute permission set on the home directory ($dir) of user $user" + fi + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh new file mode 100644 index 0000000..4df7421 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.7.sh @@ -0,0 +1,11 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + owner=$(stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh new file mode 100644 index 0000000..01e4ddc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.8.sh @@ -0,0 +1,18 @@ +#!/bin/bash +grep -E -v '^(halt|sync|shutdown)' /etc/passwd | awk -F: '($7 != "'"$(which nologin)"'" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do + if [ ! -d "$dir" ]; then + echo "The home directory ($dir) of user $user does not exist." + else + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=$(ls -ld $file | cut -f1 -d" ") + if [ $(echo $fileperm | cut -c6) != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ $(echo $fileperm | cut -c9) != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh new file mode 100644 index 0000000..113a2ce --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/SLE_15/CIS-SEL15-6.2.9.sh @@ -0,0 +1,10 @@ +#!/bin/bash +awk -F: '($1 !~ /^(root|halt|sync|shutdown)$/ && $7 != "'"$(which nologin)"'" && $7 != "/bin/false" && $7 != "/usr/bin/false") { print $1 " " $6 }' /etc/passwd | while read user dir; do + if [ ! -d "$dir" ] ; then + echo "The home directory ($dir) of user $user does not exist." + else + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + fi +done \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.1.2.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.1.2.2.1.sh new file mode 100644 index 0000000..88fc6ec --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.1.2.2.1.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +CHECK_DIR="/dev/shm" +findmnt -kn "$CHECK_DIR" &>/dev/null +exit $? \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.2.sh new file mode 100644 index 0000000..7d7d905 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.2.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +GRUB_CFG="/etc/default/grub" + +if [[ ! -f "$GRUB_CFG" ]]; then + echo "Error: $GRUB_CFG does not exist." + exit 1 +fi +if grep -q "apparmor=1" "$GRUB_CFG"; then + echo "Found 'apparmor=1' in $GRUB_CFG." + exit 0 +else + echo "'apparmor=1' not found in $GRUB_CFG." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.4.sh new file mode 100644 index 0000000..c4344c4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.3.1.4.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +unconfined_lines=$(apparmor_status | grep unconfined) + +while IFS= read -r line; do + if [[ ! "$line" =~ ^0 ]]; then + exit 1 + fi +done <<<"$unconfined_lines" +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.5.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.5.3.sh new file mode 100644 index 0000000..5895ecc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.5.3.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +kernel_parameters=("fs.suid_dumpable") +kernel_values=("0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.1.sh new file mode 100644 index 0000000..373e1cc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.1.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +# Extract the OS ID from /etc/os-release +OS_ID=$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g') + +# Run the grep command with the OS ID incorporated +grep -Eis "(\\v|\\r|\\m|\\s|$OS_ID)" /etc/motd + +# Check the exit code of the grep command +if [ $? -ne 0 ]; then + # Grep did not find any matches, return 0 + exit 0 +else + # Grep found matches, return 1 + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.4.sh new file mode 100644 index 0000000..a2766e2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.6.4.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +TEST_FILE="/etc/motd" +if [ -e "$TEST_FILE" ]; then + DESIRED_PERM="644" + ACTUAL_PERM=$(stat -c "%a" "$TEST_FILE") + if [[ "$ACTUAL_PERM" == "$DESIRED_PERM" ]]; then + exit 0 + else + exit 1 + fi +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.7.10.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.7.10.sh new file mode 100644 index 0000000..d21b15d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.7.10.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +config_file="/etc/gdm/custom.conf" + +if [[ ! -f "$config_file" || ! -r "$config_file" ]]; then + exit 0 +fi + +value="Enable" + +if grep -Eq "^\s*$value\s*=\s*true\s*$" "$config_file"; then + echo -e " \"$value\" in $config_file is true" + exit 1 +else + echo -e "\"$value\" not found or not set " +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.2.sh new file mode 100644 index 0000000..9be133e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.2.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" +elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" +fi + +found=1 +for gdm in "gdm" "gdm3"; do # Space seporated list of packages to check + $l_pq $gdm &>/dev/null && found=0 +done + +if [[ $found -eq 0 ]]; then + l_gdmfile="$(grep -Prils '^\h*banner-message-enable\b' /etc/dconf/db/*.d)" # can be multipale + num_gdmfile=$(wc -l <<< $l_gdmfile) + if [[ -n "$l_gdmfile" ]]; then + # wc -l because all files need to be set to true; grep -q states min 1 file is set to true + [[ $(grep -Pisl '^\h*banner-message-enable\h*=\h*true\b' $l_gdmfile | wc -l) < $num_gdmfile ]] && exit 1 + [[ $(grep -Pisl '^\h*banner-message-text\h*=\h*.*$' $l_gdmfile | wc -l) < $num_gdmfile ]] && exit 1 + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")" # can be multipale + for prof in $l_gdmprofile; do + # -r because local db config rules etc. can be listet under /etc/dconf/profile/user or others + grep -Prq "^\h*system-db:$prof" /etc/dconf/profile/ || exit 1 + [ -f "/etc/dconf/db/$prof" ] || exit 1 + done + else + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.3.sh new file mode 100644 index 0000000..4e9ecf2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.3.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" +elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" +fi + +found=1 +for gdm in "gdm" "gdm3"; do # Space seporated list of packages to check + $l_pq $gdm &>/dev/null && found=0 +done + +if [[ $found -eq 0 ]]; then + l_gdmfile="$(grep -Prils '^\h*disable-user-list\h*=\h*true\b' /etc/dconf/db/*.d)" # can be multipale + if [[ -n "$l_gdmfile" ]]; then + l_gdmprofile="$(awk -F\/ '{split($(NF-1),a,".");print a[1]}' <<<"$l_gdmfile")" # can be multipale + for prof in $l_gdmprofile; do + # -r because local db config rules etc. can be listet under /etc/dconf/profile/user or others + grep -Prq "^\h*system-db:$prof" /etc/dconf/profile/ || exit 1 + [ -f "/etc/dconf/db/$prof" ] || exit 1 + done + else + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.4.sh new file mode 100644 index 0000000..aef3c5e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.4.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# untested - changed settings don't take effect?! + +max_lockdelay=5 +max_idledelay=900 + +unit_lockdelay=$(gsettings get org.gnome.desktop.screensaver lock-delay 2>/dev/null) +unit_idledelay=$(gsettings get org.gnome.desktop.session idle-delay 2>/dev/null) + +if [[ -n "$unit_lockdelay" && -n "$unit_idledelay" ]]; then # is gnome installed + idledelay=$(cut -d ' ' -f 2 <<<"$unit_idledelay") + + [[ $idledelay -gt $max_idledelay || $idledelay -le 0 ]] && exit 1 + [[ $(cut -d ' ' -f 2 <<<"$unit_lockdelay") -gt $max_lockdelay ]] && exit 1 +fi + +exit 0 \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.5.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.5.sh new file mode 100644 index 0000000..1be9483 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.5.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" +elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" +fi + +found=1 +for gdm in "gdm" "gdm3"; do # Space seporated list of packages to check + $l_pq $gdm &>/dev/null && found=0 +done + +checkLock() { + l_gdmfile="$(grep -Prils "^\h*$1\h*=\h*\d+\b" /etc/dconf/db/*.d)" # can be multipale + if [[ -n "$l_gdmfile" ]]; then + for path in $(dirname $l_gdmfile); do + grep -Prisq "^\h*\/org\/gnome\/desktop\/$2\/$1\b" "$path/locks" || exit 1 + done + else + exit 1 + fi +} + +if [[ $found -eq 0 ]]; then + checkLock "idle-delay" "session" + checkLock "lock-delay" "screensaver" +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.6.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.6.sh new file mode 100644 index 0000000..1a65199 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.6.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +auto=$(gsettings get org.gnome.desktop.media-handling automount 2>/dev/null) +# -n checks for gnome installed +[[ -n "$auto" && "$auto" != "false" ]] && exit 1 + +autOpen=$(gsettings get org.gnome.desktop.media-handling automoun-open 2>/dev/null) +[[ -n "$autOpen" && "$autOpen" != "false" ]] && exit 1 + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.7.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.7.sh new file mode 100644 index 0000000..99cd926 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.7.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" +elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" +fi + +found=1 +for gdm in "gdm" "gdm3"; do # Space seporated list of packages to check + $l_pq $gdm &>/dev/null && found=0 +done + +checkLock() { + l_gdmfile="$(grep -Prils "^\h*$1\h*=\h*\w+\b" /etc/dconf/db/*.d)" # can be multipale + if [[ -n "$l_gdmfile" ]]; then + for path in $(dirname $l_gdmfile); do + grep -Prisq "^\h*\/org\/gnome\/desktop\/media-handling\/$1\b" "$path/locks" || exit 1 + done + else + exit 1 + fi +} + +if [[ $found -eq 0 ]]; then + checkLock "automount" + checkLock "automount-open" +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.8.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.8.sh new file mode 100644 index 0000000..6ff5147 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.8.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +auto=$(gsettings get org.gnome.desktop.media-handling autorun-never 2>/dev/null) +# -n checks for gnome installed +[[ -n "$auto" && "$auto" != "true" ]] && exit 1 + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.9.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.9.sh new file mode 100644 index 0000000..1eb2760 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/1.8.9.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +if command -v dpkg-query >/dev/null 2>&1; then + l_pq="dpkg-query -W" +elif command -v rpm >/dev/null 2>&1; then + l_pq="rpm -q" +fi + +found=1 +for gdm in "gdm" "gdm3"; do # Space seporated list of packages to check + $l_pq $gdm &>/dev/null && found=0 +done + +checkLock() { + l_gdmfile="$(grep -Prils "^\h*$1\h*=\h*\w+\b" /etc/dconf/db/*.d)" # can be multipale + if [[ -n "$l_gdmfile" ]]; then + for path in $(dirname $l_gdmfile); do + grep -Prisq "^\h*\/org\/gnome\/desktop\/media-handling\/$1\b" "$path/locks" || exit 1 + done + else + exit 1 + fi +} + +if [[ $found -eq 0 ]]; then + checkLock "autorun-never" +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.1.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.1.1.1.sh new file mode 100644 index 0000000..bee9019 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.1.1.1.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +{ + output="" l_tsd="" l_sdtd="" chrony="" l_ntp="" + dpkg-query -W chrony >/dev/null 2>&1 && l_chrony="y" + dpkg-query -W ntp >/dev/null 2>&1 && l_ntp="y" || l_ntp="" + systemctl list-units --all --type=service | grep -q 'systemd-timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && l_sdtd="y" + # ! systemctl is-enabled systemd-timesyncd.service | grep -q 'enabled' && l_nsdtd="y" || l_nsdtd="" + if [[ "$l_chrony" = "y" && "$l_ntp" != "y" && "$l_sdtd" != "y" ]]; then + l_tsd="chrony" + output="$output\n- chrony is in use on the system" + elif [[ "$l_chrony" != "y" && "$l_ntp" = "y" && "$l_sdtd" != "y" ]]; then + l_tsd="ntp" + output="$output\n- ntp is in use on the system" + elif [[ "$l_chrony" != "y" && "$l_ntp" != "y" ]]; then + if systemctl list-units --all --type=service | grep -q 'systemd-timesyncd.service' && systemctl is-enabled systemd-timesyncd.service | grep -Eq '(enabled|disabled|masked)'; then + l_tsd="sdtd" + output="$output\n- systemd-timesyncd is in use on the system" + fi + else + [[ "$l_chrony" = "y" && "$l_ntp" = "y" ]] && output="$output\n- both chrony and ntp are in use on the system" + [[ "$l_chrony" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both chrony and systemd-timesyncd are in use on the system" + [[ "$l_ntp" = "y" && "$l_sdtd" = "y" ]] && output="$output\n- both ntp and systemd-timesyncd are in use on the system" + fi + if [ -n "$l_tsd" ]; then + echo -e "\n- PASS:\n$output\n" + else + echo -e "\n- FAIL:\n$output\n" + fi +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.3.3.2.sh new file mode 100644 index 0000000..1175611 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/2.3.3.2.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +if ! command -v chronyd &>/dev/null; then + # chronyd is not installed + exit 0 +fi + +if ps -ef | grep -v grep | grep -q "chronyd"; then + if ps -ef | grep -v grep | grep "chronyd" | awk '{print $1}' | grep -q "^_chrony$"; then + exit 0 + else + exit 1 + fi +else + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.1.1.sh new file mode 100644 index 0000000..9470c77 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.1.1.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +{ + output="" + grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;) + searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" + + if [ -s "$grubfile" ]; then + ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- ipv6.disable=1 && output="IPv6 Disabled in \"$grubfile\"" + fi + + if + grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && \ + grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $searchloc && \ + sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && \ + sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" + then + [ -n "$output" ] && output="$output, and in sysctl config" || output="ipv6 disabled in sysctl config" + fi + + [ -n "$output" ] && echo -e "\n$output\n" || echo -e "\nIPv6 is enabled on the system\n" +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.1.6.sh new file mode 100644 index 0000000..082385c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.1.6.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +which ufw &>/dev/null || echo "no ufw" && exit 0 + +ufw_out="$(ufw status verbose)" +ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}' | sort | uniq | while read -r lpn; do + ! grep -Pq "^\h*$lpn\b" <<<"$ufw_out" && echo "- Port: \"$lpn\" is missing a firewall rule" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_1.sh new file mode 100644 index 0000000..33feb3a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_1.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +[ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook input/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf) \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_2.sh new file mode 100644 index 0000000..3ec71e2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_2.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +[ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook forward/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf) \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_3.sh new file mode 100644 index 0000000..46f6d37 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/3.5.2.10_3.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +[ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook output/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf) \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_1.sh new file mode 100644 index 0000000..5275e7c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_1.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +{ + awk '/^ *-w/ \ +&&(/\/var\/run\/utmp/ \ + ||/\/var\/log\/wtmp/ \ + ||/\/var\/log\/btmp/) \ +&&/ +-p *wa/ \ +&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_2.sh new file mode 100644 index 0000000..57f840a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.1.3.11_2.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +{ + auditctl -l | awk '/^ *-w/ \ +&&(/\/var\/run\/utmp/ \ + ||/\/var\/log\/wtmp/ \ + ||/\/var\/log\/btmp/) \ +&&/ +-p *wa/ \ +&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.2.3.sh new file mode 100644 index 0000000..e76eaa7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/4.2.3.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +checkForRules() { + # check if a Block states at least 1 reference (ufw blocks) + # and has more 2 lines (Input, Output, Forward blocks) + $1 -L | awk -v RS="\n\n" '$0 !~ /\(0 references\)/ && $0 ~ /.+\n.+\n.+/ {print $0}' +} + +[[ -n "$(checkForRules ip6tables)" || -n "$(checkForRules iptables)" ]] && exit 1 + +exit 0 \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.10.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.10.sh new file mode 100644 index 0000000..40eb8e2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.10.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +parameter_sshd_t=hostbasedauthentication +parameter_sshd_config=HostbasedAuthentication +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.11.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.11.sh new file mode 100644 index 0000000..44c53ba --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.11.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=ignorerhosts +parameter_sshd_config=IgnoreRhosts +desired_value=yes + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=no + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.12.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.12.sh new file mode 100644 index 0000000..002502f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.12.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +output=$(sshd -T -C user=root -C host="$(hostname)" -C addr="$(hostname -I | cut -d ' ' -f1)" | grep -Ei "kexalgorithms\s+([^#\n\r]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b") + +if [[ -n "$output" ]]; then + exit 1 +else + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.13.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.13.sh new file mode 100644 index 0000000..55f58f2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.13.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +#test +parameter_sshd_t=logingracetime +parameter_sshd_config=LoginGraceTime +desired_value=60 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=120 + fi +fi + +if [ "$actual_value" -le "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.14.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.14.sh new file mode 100644 index 0000000..90d49f0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.14.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +parameter_sshd_t=loglevel +parameter_sshd_config=LogLevel +desired_value=INFO +desired_value1=VERBOSE + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + actual_value=INFO + fi +fi + +if [ "$actual_value" = "$desired_value" ] || [ "$actual_value" = "$desired_value1" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.15.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.15.sh new file mode 100644 index 0000000..e4b9ba7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.15.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -Pi -- 'macs\h+([^#\n\r]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)') + +if [ -z "$actual_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.17.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.17.sh new file mode 100644 index 0000000..9d1ac4d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.17.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +parameter_sshd_t=maxsessions +parameter_sshd_config=MaxSessions +FILE="/etc/ssh/sshd_config" +desired_value=10 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + fi +fi + +if [ "$actual_value" -le "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.18.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.18.sh new file mode 100644 index 0000000..e1d2b8d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.18.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +parameter_sshd_t=maxstartups +parameter_sshd_config=MaxStartups +desired_value="10:30:60" + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -Ei "^$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep -E "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.6.sh new file mode 100644 index 0000000..f392ffc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.6.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -Pi -- '^ciphers\h+\"?([^#\n\r]+,)?((3des|blowfish|cast128|aes(128|192|256))-cbc|arcfour(128|256)?|rijndael-cbc@lysator\.liu\.se|chacha20-poly1305@openssh\.com)') + +if [ -z "$actual_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.7.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.7.sh new file mode 100644 index 0000000..c1284aa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.7.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +parameter_sshd_t=clientaliveinterval +parameter_sshd_config=ClientAliveInterval +desired_value=15 + +parameter_sshd_t1=clientalivecountmax +parameter_sshd_config1=ClientAliveCountMax +desired_value1=3 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') +actual_value1=$(sshd -T | grep -i "$parameter_sshd_t1" | awk '{print $2}') + +if [ -z "$actual_value" ] && [ -z "$actual_value1" ]; then + if (grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config) && (grep -iq '^$parameter_sshd_config1' /etc/ssh/sshd_config); then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + actual_value1=$(grep -i '^$parameter_sshd_config1' /etc/ssh/sshd_config | awk '{print $2}') + + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" -eq "$desired_value" ] && [ "$actual_value1" -eq "$desired_value1" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.8.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.8.sh new file mode 100644 index 0000000..89ecb6c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.8.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=disableforwarding +parameter_sshd_config=DisableForwarding +desired_value=yes + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.9.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.9.sh new file mode 100644 index 0000000..49ee504 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.1.9.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=gssapiauthentication +parameter_sshd_config=GSSAPIAuthentication +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.4.sh new file mode 100644 index 0000000..6e9b2a7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.4.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +sufile="/etc/sudoers" +includes=$(awk '/^[^#]*(@|#)include(dir)?/{ + if ($1 ~ /^(@|#)includedir/) + print $2"/*"; + else print $2}' $sufile) + +for file in $sufile $includes; do + # exclude hardening file + if [[ ! $file =~ /\*$ ]] && grep -q "^[^#]*NOPASSWD" $file && [[ $file != "/etc/sudoers.d/DSC" ]]; then + exit 1 + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.5.sh new file mode 100644 index 0000000..c6c181c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.5.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +sufile="/etc/sudoers" +includes=$(awk '/^[^#]*(@|#)include(dir)?/{ + if ($1 ~ /^(@|#)includedir/) + print $2"/*"; + else print $2}' $sufile) + +for file in $sufile $includes; do + if [[ ! $file =~ /\*$ ]] && grep -q "^[^#]*!authenticate" $file; then + exit 1 + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.7.sh new file mode 100644 index 0000000..282cb7a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.2.7.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +# multiple groups can be configured to switch to diffrent set of users +while IFS='=' read -r _ confGroup; do + # options not in specific Order -> cut of + group="$(echo $confGroup | awk '{print $1}')" + membercount=$(grep -Pi "^$group:" /etc/group | awk -F ':' '{print $NF}' | awk -F ',' '{print NF}') + # groups should have no members + [[ $membercount -gt 0 ]] && exit 1 +done < <(grep -Pi '^\h*auth\h+(?:required|requisite)\h+pam_wheel\.so\h+(?:[^#\n\r]+\h+)?((?!\2)(use_uid\b|group=\H+\b))\h+(?:[^#\n\r]+\h+)?((?!\1)(use_uid\b|group=\H+\b))(\h+.*)?$' /etc/pam.d/su) + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.1.sh new file mode 100644 index 0000000..843c699 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.1.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +pam_files=("/etc/pam.d/common-account" "/etc/pam.d/common-session" "/etc/pam.d/common-auth" "/etc/pam.d/common-password") +pam_module="pam_unix.so" +error_found=false + +for file in "${pam_files[@]}"; do + echo "Checking $file..." + if grep -q "$pam_module" "$file"; then + echo "OK: $pam_module is enabled in $file" + else + echo "Error: $pam_module is NOT enabled in $file" + error_found=true + fi +done + +if [ "$error_found" = true ]; then + echo "Test Failed: pam_unix.so is NOT enabled in all PAM configuration files." + exit 1 +else + echo "Test Passed: pam_unix.so is enabled in all PAM configuration files." + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.2.sh new file mode 100644 index 0000000..abca33b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.2.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash + +pam_path="/usr/share/pam-configs" +pam_files=("faillock" "faillock_notify") + +expected_faillock=( + 'Name: Enable pam_faillock to deny access' + 'Default: yes' + 'Priority: 0' + 'Auth-Type: Primary' + 'Auth: [default=die] pam_faillock.so authfail' +) +expected_faillock_notify=( + 'Name: Notify of failed login attempts and reset count upon success' + 'Default: yes' + 'Priority: 1024' + 'Auth-Type: Primary' + 'Auth: requisite pam_faillock.so preauth' + 'Account-Type: Primary' + 'Account: required pam_faillock.so' +) +check_profile() { + local profile_path="$pam_path/$1" + local expected_content=("${!2}") + + if [[ ! -f "$profile_path" ]]; then + echo "ERROR: Profile $profile_path does not exist." + exit 1 + fi + echo "Checking profile: $profile_path" + # Read the actual content of the profile file + for line in "${expected_content[@]}"; do + if ! grep -Fxq "$line" "$profile_path"; then + echo "ERROR: Expected line not found in $profile_path: $line" + exit 1 + fi + done +} +check_profile "faillock" expected_faillock[@] +check_profile "faillock_notify" expected_faillock_notify[@] diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.3.sh new file mode 100644 index 0000000..82ab4ca --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.3.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +pam_path="/usr/share/pam-configs" +profile_name="pwquality" + +expected_content=( + 'Name: Pwquality password strength checking' + 'Default: yes' + 'Priority: 1024' + 'Conflicts: cracklib' + 'Password-Type: Primary' + 'Password:' 'requisite pam_pwquality.so retry=3' + 'Password-Initial:' + 'requisite' +) +# check if the pwquality exists +if [[ -f "$pam_path/$profile_name" ]]; then + echo "$profile_name profile found in $pam_path:" +else + echo "ERROR: $profile_name profile not found in $pam_path." + exit 1 +fi + +# check content of pwquality +for line in "${expected_pwquality[@]}"; do + if ! grep -Fxq "$line" "$pam_path/$profile_name"; then + echo "ERROR: Expected line not found in $profile_name: $line" + exit 1 + fi +done +echo "pwquality profile content in $pam_path/$profile_name is correct." +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.4.sh new file mode 100644 index 0000000..fe86ec2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.2.4.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +pam_path="/usr/share/pam-configs" +profile_name="pwhistory" + +expected_content=( + 'Name: pwhistory password history checking' + 'Default: yes' + 'Priority: 1024' + 'Password-Type: Primary' 'Password:' + 'requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok' +) + +# check content of pwhistory +if [[ -f "$pam_path/$profile_name" ]]; then + echo "$profile_name profile found in $pam_path:" +else + echo "ERROR: $profile_name profile not found in $pam_path." + exit 1 +fi + +# check content of pwhistory +for line in "${expected_pwquality[@]}"; do + if ! grep -Fxq "$line" "$pam_path/$profile_name"; then + echo "ERROR: Expected line not found in $profile_name: $line" + exit 1 + fi +done +echo "$profile_name profile content in $pam_path/$profile_name is correct." +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.7.sh new file mode 100644 index 0000000..fb0b279 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.7.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# Parameter to search for +parameter_config="enforcing" +unwanted_value=0 +file="/etc/security/pwquality.conf" + +# Search for the line containing the parameter with '=' and the unwanted value, even if commented +line=$(grep -E "^\s*$parameter_config\s*=\s*$unwanted_value\s*$" "$file") + +# Check if the unwanted line exists +if [ -n "$line" ]; then + echo "Error: The line '$parameter_config=$unwanted_value' exists in $file (even if commented)." + exit 1 +else + echo "No unwanted or commented line '$parameter_config=$unwanted_value' found in $file." + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.8.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.8.sh new file mode 100644 index 0000000..ed6605d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.2.8.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# File configuration +FILE="/etc/security/pwquality.conf" +# what we look for +PATTERN="enforce_for_root" + +# Check if the file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE wa not found." + exit 1 +fi + +# Search for the pattern, regardless of its case, even if it is commented out +grep -Ei "^[[:space:]]*#?[[:space:]]*$PATTERN" "$FILE" >/dev/null +FOUND=$? + +# if the pattern is found +if [ $FOUND -eq 0 ]; then + # check if it is commented + grep -Ei "^[[:space:]]*#[[:space:]]*$PATTERN" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + exit 1 + fi + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.1.sh new file mode 100644 index 0000000..4405ee6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.1.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +files_to_check=$(awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*) +if [[ -z $files_to_check ]]; then + echo "file was not found" +else + for file in "$files_to_check"; do + if grep -Eq "pam_pwhistory\.so.*remember=" "$file"; then + current_value=$(grep -Eo "remember=[0-9]+" "$file" | grep -Eo "[0-9]+") + if [ "$current_value" -lt 24 ]; then + exit 1 + fi + else + exit 1 + fi + done + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.2.sh new file mode 100644 index 0000000..0812856 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.3.2.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +files_to_check=$(awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*) +if [[ -z $files_to_check ]]; then + echo "file was not found" +else + for file in "$files_to_check"; do + if grep -Eq "pam_pwhistory\.so.*enforce_for_root" "$file"; then + exit 0 + else + exit 1 + fi + done + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.2.sh new file mode 100644 index 0000000..eed187c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.2.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +files_to_check=$(grep -El 'pam_unix\.so.*remember=' /usr/share/pam-configs/*) +if [[ -z "$files_to_check" ]]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.3.sh new file mode 100644 index 0000000..990d02d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.3.3.4.3.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +files_to_check=$(grep -Elz "Password-Type:.*\n.*pam_unix\.so" /usr/share/pam-configs/*) +if [ -z "$files_to_check" ]; then + echo "No relevant files found." + exit 0 +fi + +for file in $files_to_check; do + if ! grep -Eq "pam_unix\.so.*(yescrypt|sha512)" "$file"; then + exit 1 + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.4.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.4.2.4.sh new file mode 100644 index 0000000..aab585f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.4.2.4.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +root_password=$(getent shadow root | cut -d: -f2) + +if [[ "$root_password" == "*" || "$root_password" == "!" || -z "$root_password" ]]; then + exit 1 +fi + +exit 0 + diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.5.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.5.1.5.sh new file mode 100644 index 0000000..45b638f --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/5.5.1.5.sh @@ -0,0 +1,9 @@ +#!/bin/bash +{ + awk -F: '/^[^:]+:[^!*]/{print $1}' /etc/shadow | while read -r usr; do + change=$(date -d "$(chage --list $usr | grep '^Last password change' | cut -d: -f2 | grep -v 'never$')" +%s) + if [[ "$change" -gt "$(date +%s)" ]]; then + echo "User: \"$usr\" last password change was \"$(chage --list $usr | grep '^Last password change' | cut -d: -f2)\"" + fi + done +} diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.4.sh new file mode 100644 index 0000000..375bb76 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.4.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*ForwardToSyslog\s*=\s*no" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.5.sh new file mode 100644 index 0000000..d2f60bc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.5.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*Storage\s*=\s*persistent" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.6.sh new file mode 100644 index 0000000..ac47dad --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.1.6.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +regex_pattern="^\s*Compress\s*=\s*yes" +config_files=("/etc/systemd/journald.conf" "/etc/systemd/journald.conf.d/*") + +for config_file in "${config_files[@]}"; do + for file in $config_file; do + if [[ -f "$file" ]]; then + if grep -qE "$regex_pattern" "$file"; then + exit 0 + fi + fi + done +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.2.4.sh new file mode 100644 index 0000000..527ebb6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.1.2.4.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +socket_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.socket' && echo true || echo false) +service_installed=$(systemctl list-unit-files | grep -q 'systemd-journal-remote.service' && echo true || echo false) + +if [[ "$socket_installed" == "false" && "$service_installed" == "false" ]]; then + exit 0 # True if neither is installed +elif [[ "$socket_installed" == "true" && "$(systemctl is-active systemd-journal-remote.socket)" =~ ^(inactive|failed)$ ]] && + [[ "$service_installed" == "true" && "$(systemctl is-active systemd-journal-remote.service)" =~ ^(inactive|failed)$ ]]; then + exit 0 # True if both are not active (including failed) +else + exit 1 # False otherwise +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.3.sh new file mode 100644 index 0000000..8478396 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.3.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +for i in $(cut -s -d: -f4 /etc/passwd | sort -u); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group || exit 1 +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.5.sh new file mode 100644 index 0000000..7d12fdf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.5.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x; do + [ -z "$x" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs) + echo "Duplicate UID ($2): $users" + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.6.sh new file mode 100644 index 0000000..f7d6871 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.6.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +cut -d: -f3 /etc/group | sort | uniq -d | while read x; do + echo "Duplicate GID ($x) in /etc/group" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.7.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.7.sh new file mode 100644 index 0000000..f36bb79 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.7.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +cut -d: -f1 /etc/passwd | sort | uniq -d | while read -r x; do + echo "Duplicate login name $x in /etc/passwd" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.8.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.8.sh new file mode 100644 index 0000000..02ad855 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.8.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +cut -d: -f1 /etc/group | sort | uniq -d | while read -r x; do + echo "Duplicate group name $x in /etc/group" +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.9.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.9.sh new file mode 100644 index 0000000..f5cc42e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.2.9.sh @@ -0,0 +1,9 @@ +#!/bin/bash +awk -F: '($1!~/(root|halt|sync|shutdown)/ && $7!~/^(\/usr)?\/sbin\/nologin(\/)?$/ && $7!~/(\/usr)?\/bin\/false(\/)?$/) { print $1 " " $6 }' /etc/passwd | while read -r user dir; do + if [ -d "$dir" ]; then + file="$dir/.forward" + if [ ! -h "$file" ] && [ -f "$file" ]; then + echo "User: \"$user\" file: \"$file\" exists" + fi + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.3.sh new file mode 100644 index 0000000..7b3479d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.3.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +GRUB_CFG="/etc/default/grub" + +if [[ ! -f "$GRUB_CFG" ]]; then + echo "Error: $GRUB_CFG does not exist." + exit 1 +fi +if grep -q "audit=1" "$GRUB_CFG"; then + echo "Found 'audit=1' in $GRUB_CFG." + exit 0 +else + echo "'audit=1' not found in $GRUB_CFG." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.4.sh new file mode 100644 index 0000000..158b8cc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.1.4.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +GRUB_CFG="/etc/default/grub" + +if [[ ! -f "$GRUB_CFG" ]]; then + echo "Error: $GRUB_CFG does not exist." + exit 1 +fi +if grep -q "audit_backlog_limit" "$GRUB_CFG"; then + echo "Found 'audit_backlog_limit=1' in $GRUB_CFG." + exit 0 +else + echo "'audit_backlog_limit=1' not found in $GRUB_CFG." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.1.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.1.sh new file mode 100644 index 0000000..a8027ab --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.1.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +l_perm_mask="0137" +if [ -e "/etc/audit/auditd.conf" ]; then + # Extract the log directory from the configuration file + l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + + if [ -d "$l_audit_log_directory" ]; then + l_maxperm="$(printf '%o' $((0777 & ~$l_perm_mask)))" + + # Find files matching the permission mask and process them line by line + while IFS= read -r l_file; do + # Ensure the file exists and get its mode + if [ -e "$l_file" ]; then + l_file_mode="$(stat -Lc '%#a' "$l_file")" + exit 1 + fi + done < <(find "$l_audit_log_directory" -maxdepth 1 -type f -perm /"$l_perm_mask") + + # Check if any files were processed + if [ $? -eq 0 ]; then + exit 0 + fi + else + exit 0 + fi +else + exit 0 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.2.sh new file mode 100644 index 0000000..9bf99dc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.2.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +l_output="" l_output2="" +if [ -e "/etc/audit/auditd.conf" ]; then + l_audit_log_directory="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + if [ -d "$l_audit_log_directory" ]; then + while IFS= read -r l_file; do + l_output2="$l_output2\n - File: \"$l_file\" is owned by user: \"$(stat -Lc '%U' "$l_file")\"\n (should be owned by user: \"root\")\n" + done < <(find "$l_audit_log_directory" -maxdepth 1 -type f ! -user root) + else + l_output2="$l_output2\n - Log file directory not set in \"/etc/audit/auditd.conf\" please set log file directory" + fi +else + l_output2="$l_output2\n - File: \"/etc/audit/auditd.conf\" not found.\n - ** Verify auditd is installed **" +fi +if [ -z "$l_output2" ]; then + l_output="$l_output\n - All files in \"$l_audit_log_directory\" are owned by user: \"root\"\n" + echo -e "\n- Audit Result:\n ** PASS **\n - * Correctly configured * :$l_output" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - * Reasons for auditgfailure * :$l_output2\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.3.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.3.sh new file mode 100644 index 0000000..b5e03bd --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.3.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +audit_conf="/etc/audit/auditd.conf" +perm_mask="0177" +if [ ! -f "$audit_conf" ]; then + exit 1 +fi +audit_log_dir=$(grep -E '^\s*log_file\s*=' "$audit_conf" | cut -d= -f2 | xargs dirname 2>/dev/null) +if [ -z "$audit_log_dir" ]; then + exit 1 +fi +audit_log_group=$(grep -E '^\s*log_group\s*=' "$audit_conf" | cut -d= -f2 | xargs) +if [ -z "$audit_log_group" ]; then + exit 1 +fi +if [ ! -d "$audit_log_dir" ]; then + exit 1 +fi +for file in "$audit_log_dir"/*; do + if [ -f "$file" ]; then + group=$(ls -l "$file" | awk '{print $4}') + if [[ "$group" != "root" && "$group" != "adm" ]]; then + exit 1 + fi + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.4.sh b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.4.sh new file mode 100644 index 0000000..dc826da --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/Ubuntu22.04_Debian12/6.3.4.4.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +perm_mask="0027" +if [ -e "/etc/audit/auditd.conf" ]; then + log_dir="$(dirname "$(awk -F= '/^\s*log_file\s*/{print $2}' /etc/audit/auditd.conf | xargs)")" + if [ -d "$log_dir" ]; then + maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" + log_dir_mode="$(stat -Lc '%#a' "$log_dir")" + if [ $(($log_dir_mode & $perm_mask)) -gt 0 ]; then + exit 1 + fi + else + exit 1 + fi +else + exit 1 +fi +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.1.sh new file mode 100644 index 0000000..efdde75 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.1.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="cramfs" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +l_mpath="/lib/modules/**/kernel/$l_mtype" +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.2.sh new file mode 100644 index 0000000..eb66ae8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.2.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="freevxfs" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.3.sh new file mode 100644 index 0000000..852aa83 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.3.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="hfs" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +l_mpath="/lib/modules/**/kernel/$l_mtype" +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.4.sh new file mode 100644 index 0000000..1753ecf --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.4.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="hfsplus" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +l_mpath="/lib/modules/**/kernel/$l_mtype" +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.5.sh new file mode 100644 index 0000000..1dca087 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.5.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="jffs2" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +l_mpath="/lib/modules/**/kernel/$l_mtype" +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.6.sh new file mode 100644 index 0000000..51bd145 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.6.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash + +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="squashfs" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$( + grep -P -- + "(^\h*install|\b$l_mname)\b" <<<"$l_loadable" + )" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.7.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.7.sh new file mode 100644 index 0000000..6bd152c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.7.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="udf" # set module name +l_mtype="fs" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.8.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.8.sh new file mode 100644 index 0000000..bb1ec34 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.1.8.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="usb-storage" # set module name +l_mtype="drivers" # set module type +l_searchloc="/lib/modprobe.d/*.conf /usr/local/lib/modprobe.d/*.conf /run/modprobe.d/*.conf /etc/modprobe.d/*.conf" +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + exit 0 +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.2.sh new file mode 100644 index 0000000..c087447 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.2.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if grep -q -E '^[^#]*\s/tmp\s' /etc/fstab; then + if grep -E '^[^#]*\s/tmp\s' /etc/fstab | grep -vq 'nodev'; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.3.sh new file mode 100644 index 0000000..c13380b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.1.3.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +if grep -q -E '^[^#]*\s/tmp\s' /etc/fstab; then + # If such a line exists, check if it contains the nosuid flag + if grep -E '^[^#]*\s/tmp\s' /etc/fstab | grep -vq 'nosuid'; then + # If /var exists and does NOT contain nosuid, exit with 1 (error) + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.2.sh new file mode 100644 index 0000000..08bf662 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/dev/shm" +flag="nodev" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.3.sh new file mode 100644 index 0000000..9febe98 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/dev/shm" +flag="nosuid" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.4.sh new file mode 100644 index 0000000..b6ca433 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.2.4.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/dev/shm" +flag="noexec" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.2.sh new file mode 100644 index 0000000..6b94c6e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/home" +flag="nodev" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.3.sh new file mode 100644 index 0000000..5c1a16b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.3.3.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +if grep -q -E '^[^#]*\s/home\s' /etc/fstab; then + if grep -E '^[^#]*\s/home\s' /etc/fstab | grep -vq 'nosuid'; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.2.sh new file mode 100644 index 0000000..c385df1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.2.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +if grep -q -E '^[^#]*\s/var\s' /etc/fstab; then + # If such a line exists, check if it contains the nodev flag + if grep -E '^[^#]*\s/var\s' /etc/fstab | grep -vq 'nodev'; then + # If /var exists and does NOT contain nodev, exit with 1 (error) + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.3.sh new file mode 100644 index 0000000..97dc6a0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.4.3.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +if grep -q -E '^[^#]*\s/var\s' /etc/fstab; then + # If such a line exists, check if it contains the nosuid flag + if grep -E '^[^#]*\s/var\s' /etc/fstab | grep -vq 'nosuid'; then + # If /var exists and does NOT contain nosuid, exit with 1 (error) + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.2.sh new file mode 100644 index 0000000..ae55f46 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/tmp" +flag="nodev" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.3.sh new file mode 100644 index 0000000..8ffc050 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/tmp" +flag="nosuid" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.4.sh new file mode 100644 index 0000000..c35e9eb --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.5.4.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/tmp" +flag="noexec" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.2.sh new file mode 100644 index 0000000..e341c1d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log" +flag="nodev" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.3.sh new file mode 100644 index 0000000..3880665 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log" +flag="nosuid" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.4.sh new file mode 100644 index 0000000..547b916 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.6.4.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log" +flag="noexec" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.2.sh new file mode 100644 index 0000000..85b3d8b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log/audit" +flag="nodev" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.3.sh new file mode 100644 index 0000000..2e33863 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log/audit" +flag="nosuid" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.4.sh new file mode 100644 index 0000000..9d49387 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.1.2.7.4.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +directory="/var/log/audit" +flag="noexec" +FSTAB_FILE="/etc/fstab" + +if [[ ! -f "$FSTAB_FILE" ]]; then + echo "Error: $FSTAB_FILE does not exist." + exit 0 +fi + +if grep -q -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE"; then + if grep -E "^[^#]*[[:space:]]+$directory[[:space:]]+" "$FSTAB_FILE" | grep -vq "$flag"; then + exit 1 + fi +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.4.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.4.2.sh new file mode 100644 index 0000000..611a780 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.4.2.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +# Define the paths to check for grub.cfg +UBUNTU_GRUB_PATH="/boot/grub/grub.cfg" +REDHAT_GRUB_PATH="/boot/grub2/grub.cfg" + +# Function to check permissions +check_permissions() { + local file_path="$1" + if [ -f "$file_path" ]; then + # Get the file's permissions in octal format + permissions=$(stat -c "%a" "$file_path") + if [ "$permissions" -eq 600 ]; then + echo "Permissions for $file_path are correct (600)." + exit 0 + else + echo "Permissions for $file_path are incorrect ($permissions)." + exit 1 + fi + fi +} + +# Check for Ubuntu path +check_permissions "$UBUNTU_GRUB_PATH" + +# Check for Red Hat path +check_permissions "$REDHAT_GRUB_PATH" + +# If neither file is found, exit with an error +echo "grub.cfg file not found in the expected locations." +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.5.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.5.1.sh new file mode 100644 index 0000000..b4337a6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.5.1.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +kernel_parameter="kernel.randomize_va_space" +kernel_value="2" + +current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null) + +if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved." + exit 1 +fi + +if [ "$current_value" == "$kernel_value" ]; then + echo "Kernel parameter $kernel_parameter is set to $kernel_value" + exit 0 +else + echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/1.5.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/1.5.2.sh new file mode 100644 index 0000000..804715e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/1.5.2.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +kernel_parameter="kernel.yama.ptrace_scope" +kernel_value="1" +current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null) + +if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved." + exit 1 +fi + +if [ "$current_value" == "$kernel_value" ]; then + echo "Kernel parameter $kernel_parameter is set to $kernel_value" + exit 0 +else + echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/2.1.13.sh b/ATAPAuditor/Helpers/ShellScripts/common/2.1.13.sh new file mode 100644 index 0000000..49e1858 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/2.1.13.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +PATTERN='rsyncd?\.service|rsyncd\.socket' + +# DebUntu rsync.service +# rhel rsyncd.service und rsyncd.socket +services=$(systemctl list-unit-files | grep -oE $PATTERN) +for service in $services; +do + if systemctl is-enabled $service 1>/dev/null 2>/dev/null; then + exit 1 + fi +done + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/2.4.1.8.sh b/ATAPAuditor/Helpers/ShellScripts/common/2.4.1.8.sh new file mode 100644 index 0000000..4692a30 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/2.4.1.8.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# Define the files to check +FILES=("/etc/cron.allow" "/etc/cron.deny") + +# Function to check a file +check_file() { + local file=$1 + + # Check if the file exists + if [ ! -e "$file" ]; then + echo "File $file does not exist. Ignoring." + return 0 + fi + + # Get the file permissions in numeric format + local permissions=$(stat -c "%a" "$file") + local owner=$(stat -c "%U" "$file") + local group=$(stat -c "%G" "$file") + + # Check if the file permissions are 0640 or more restrictive + if [ "$permissions" -gt 640 ]; then + echo "File $file permissions are not 0640 or more restrictive." + return 1 + fi + + # Check if the owner is root and group is root + if [ "$owner" != "root" ] || [ "$group" != "root" ]; then + echo "File $file owner or group is not root." + return 1 + fi + + return 0 +} + +# Check each file +for file in "${FILES[@]}"; do + if ! check_file "$file"; then + exit 1 + fi +done + +# If all checks pass, exit with status 0 +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/2.4.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/2.4.2.1.sh new file mode 100644 index 0000000..6fa5d37 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/2.4.2.1.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# Define the files to check +FILES=("/etc/at.allow" "/etc/at.deny") + +check_file() { + local file=$1 + + # Check if the file exists + if [ ! -e "$file" ]; then + echo "File $file does not exist. Ignoring." + return 0 + fi + + # Get the file permissions in numeric format + local permissions=$(stat -c "%a" "$file") + local owner=$(stat -c "%U" "$file") + local group=$(stat -c "%G" "$file") + + # Check if the file permissions are 0640 or more restrictive + if [ "$permissions" -gt 640 ]; then + echo "File $file permissions are not 0640 or more restrictive." + return 1 + fi + + # Check if the owner is root and group is root + if [ "$owner" != "root" ] || [ "$group" != "root" ]; then + echo "File $file owner or group is not root." + return 1 + fi + + return 0 +} + +# Check each file +for file in "${FILES[@]}"; do + if ! check_file "$file"; then + exit 1 + fi +done + +# If all checks pass, exit with status 0 +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.1.2.sh new file mode 100644 index 0000000..a508fc2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.1.2.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +l_output="" l_output2="" +module_chk() { + # Check how module will be loaded + l_loadable="$(modprobe -n -v "$l_mname")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi + # Check is the module currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi + # Check if the module is deny listed + if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then + l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)"; done | sort -u) + for l_mname in $l_dname; do + module_chk + done +fi +# Report results. If no failures output in l_output2, we pass +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **" + if [ -z "$l_output" ]; then + echo -e "\n - System has no wireless NICs installed" + else + echo -e "\n$l_output\n" + fi +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.2.1.sh new file mode 100644 index 0000000..9d23af8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.2.1.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="dccp" # set module name +l_mtype="net" # set module type +#replaced in original script to avoid wildcard +l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null) +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.2.2.sh new file mode 100644 index 0000000..de75e39 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.2.2.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="tipc" # set module name +l_mtype="net" # set module type +#replaced in original script to avoid wildcard +l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null) +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.2.3.sh new file mode 100644 index 0000000..8542840 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.2.3.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="rds" # set module name +l_mtype="net" # set module type +#replaced in original script to avoid wildcard +l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null) +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.2.4.sh new file mode 100644 index 0000000..65814a1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.2.4.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +l_output="" l_output2="" l_output3="" l_dl="" # Unset output variables +l_mname="sctp" # set module name +l_mtype="net" # set module type +#replaced in original script to avoid wildcard +l_searchloc=$(find $(for dir in /lib/modprobe.d /usr/local/lib/modprobe.d /run/modprobe.d /etc/modprobe.d; do [[ -d "$dir" ]] && echo "$dir"; done) -type f -name "*.conf" 2>/dev/null) +#replaced in original script to avoid globstar operator +l_mpath=$(find /lib/modules/ -type d -name $l_mtype) +l_mpname="$(tr '-' '_' <<<"$l_mname")" +l_mndir="$(tr '-' '/' <<<"$l_mname")" +module_loadable_chk() { + # Check if the module is currently loadable + l_loadable="$(modprobe -n -v "$l_mname")" + [ "$(wc -l <<<"$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<<"$l_loadable")" + if grep -Pq -- '^\h*install \/bin\/(true|false)' <<<"$l_loadable"; then + l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" + fi +} +module_loaded_chk() { + # Check if the module is currently loaded + if ! lsmod | grep "$l_mname" >/dev/null 2>&1; then + l_output="$l_output\n - module: \"$l_mname\" is not loaded" + else + l_output2="$l_output2\n - module: \"$l_mname\" is loaded" + fi +} +module_deny_chk() { + # Check if the module is deny listed + l_dl="y" + if modprobe --showconfig | grep -Pq -- '^\h*blacklist\h+'"$l_mpname"'\b'; then + l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pls -- "^\h*blacklist\h+$l_mname\b" $l_searchloc)\"" + else + l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" + fi +} +# Check if the module exists on the system +for l_mdir in $l_mpath; do + if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then + l_output3="$l_output3\n - \"$l_mdir\"" + [ "$l_dl" != "y" ] && module_deny_chk + if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then + module_loadable_chk + module_loaded_chk + fi + else + l_output="$l_output\n - module: \"$l_mname\" doesn't exist in \"$l_mdir\"" + fi +done +# Report results. If no failures output in l_output2, we pass +[ -n "$l_output3" ] && echo -e "\n\n -- INFO --\n - module: \"$l_mname\" exists in:$l_output3" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" +else + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.1.sh new file mode 100644 index 0000000..166442a --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.1.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.ip_forward" "net.ipv6.conf.all.forwarding") +kernel_values=("0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.10.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.10.sh new file mode 100644 index 0000000..b0a3201 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.10.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +kernel_parameter="net.ipv4.tcp_syncookies" +kernel_value="1" +current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null) + +if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved." + exit 1 +fi + +if [ "$current_value" == "$kernel_value" ]; then + echo "Kernel parameter $kernel_parameter is set to $kernel_value" + exit 0 +else + echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.11.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.11.sh new file mode 100644 index 0000000..c4bb189 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.11.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv6.conf.all.accept_ra" "net.ipv6.conf.default.accept_ra") +kernel_values=("0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.2.sh new file mode 100644 index 0000000..4a0b392 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.2.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.all.send_redirects" "net.ipv4.conf.default.send_redirects") +kernel_values=("0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.3.sh new file mode 100644 index 0000000..1be5056 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +kernel_parameter="net.ipv4.icmp_ignore_bogus_error_responses" +kernel_value="1" +current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null) + +if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved." + exit 1 +fi + +if [ "$current_value" == "$kernel_value" ]; then + echo "Kernel parameter $kernel_parameter is set to $kernel_value" + exit 0 +else + echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.4.sh new file mode 100644 index 0000000..fc0cdb4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.4.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +kernel_parameter="net.ipv4.icmp_echo_ignore_broadcasts" +kernel_value="1" + +current_value=$(sysctl -n "$kernel_parameter" 2>/dev/null) + +if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $kernel_parameter does not exist or could not be retrieved." + exit 1 +fi + +if [ "$current_value" == "$kernel_value" ]; then + echo "Kernel parameter $kernel_parameter is set to $kernel_value" + exit 0 +else + echo "Kernel parameter $kernel_parameter is not set to $kernel_value (current value: $current_value)" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.5.sh new file mode 100644 index 0000000..f04bdbc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.5.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.all.accept_redirects" "net.ipv4.conf.default.accept_redirects" "net.ipv6.conf.all.accept_redirects" "net.ipv6.conf.default.accept_redirects") +kernel_values=("0" "0" "0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.6.sh new file mode 100644 index 0000000..d9d1bec --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.6.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.default.secure_redirects" "net.ipv4.conf.all.secure_redirects") +kernel_values=("0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.7.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.7.sh new file mode 100644 index 0000000..f7af3f9 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.7.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.all.rp_filter" "net.ipv4.conf.default.rp_filter") +kernel_values=("1" "1") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.8.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.8.sh new file mode 100644 index 0000000..6850679 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.8.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.all.accept_source_route" "net.ipv4.conf.default.accept_source_route" "net.ipv6.conf.all.accept_source_route" "net.ipv6.conf.default.accept_source_route") +kernel_values=("0" "0" "0" "0") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/3.3.9.sh b/ATAPAuditor/Helpers/ShellScripts/common/3.3.9.sh new file mode 100644 index 0000000..33c9968 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/3.3.9.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +kernel_parameters=("net.ipv4.conf.all.log_martians" "net.ipv4.conf.default.log_martians") +kernel_values=("1" "1") +len=${#kernel_parameters[@]} +for ((i = 0; i < len; i++)); do + param=${kernel_parameters[$i]} + value=${kernel_values[$i]} + current_value=$(sysctl -n "$param" 2>/dev/null) + + # Check if sysctl command was successful + if [ $? -ne 0 ]; then + echo "Error: Kernel parameter $param does not exist or could not be retrieved." + exit 1 + fi + + # Check if the current value matches the expected value + if [ "$current_value" == "$value" ]; then + echo "Kernel parameter $param is set correctly to $value." + else + echo "Kernel parameter $param is not set to $value (current value: $current_value)." + exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.16.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.16.sh new file mode 100644 index 0000000..c745626 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.16.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=maxauthtries +parameter_sshd_config=MaxAuthTries +desired_value=4 + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" -le "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.19.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.19.sh new file mode 100644 index 0000000..164bac4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.19.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +parameter_sshd_t=permitemptypasswords +parameter_sshd_config=PermitEmptyPasswords +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + echo "$parameter_sshd_config not set in sshd_config, using default" + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.20.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.20.sh new file mode 100644 index 0000000..d525c6b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.20.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=permitrootlogin +parameter_sshd_config=PermitRootLogin +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.21.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.21.sh new file mode 100644 index 0000000..b8f5269 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.21.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +parameter_sshd_t=permituserenvironment +parameter_sshd_config=PermitUserEnvironment +desired_value=no + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq "^$parameter_sshd_config" /etc/ssh/sshd_config; then + actual_value=$(grep "^$parameter_sshd_config" /etc/ssh/sshd_config | awk '{print $2}') + else + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.22.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.22.sh new file mode 100644 index 0000000..8c684c1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.22.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +parameter_sshd_t=usepam +parameter_sshd_config=UsePAM +desired_value=yes + +if ! command -v sshd &>/dev/null; then + echo "sshd command could not be found" + exit 0 +fi + +# Check using sshd -T output +actual_value=$(sshd -T | grep -i "$parameter_sshd_t" | awk '{print $2}') + +if [ -z "$actual_value" ]; then + if grep -iq '^$parameter_sshd_config' /etc/ssh/sshd_config; then + actual_value=$(grep -i '^$parameter_sshd_config' /etc/ssh/sshd_config | awk '{print $2}') + else + + exit 1 + fi +fi + +if [ "$actual_value" = "$desired_value" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.1.3.sh new file mode 100644 index 0000000..23be640 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.1.3.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +pmask="0133" +maxperm="$(printf '%o' $((0777 & ~$pmask)))" + +find -L /etc/ssh -type f 2>/dev/null | while IFS= read -r file; do + if ssh-keygen -lf "$file" &>/dev/null && file "$file" | grep -qi 'OpenSSH.*public key'; then + read -r mode owner group < <(stat -Lc '%#a %U %G' "$file") + [ $((mode & pmask)) -gt 0 ] && exit 1 + [ "$owner" != "root" ] && exit 1 + [ "$group" != "root" ] && exit 1 + fi +done diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.2.2.sh new file mode 100644 index 0000000..e41a341 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.2.2.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Simplified pattern +pattern="Defaults use_pty" + +# Check if the pattern exists in /etc/sudoers +if grep -E "^\s*Defaults\s+use_pty" /etc/sudoers >/dev/null; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.2.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.2.3.sh new file mode 100644 index 0000000..9c958aa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.2.3.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +PATTERN="^\h*Defaults\h+([^#]+,\h*)?logfile\h*=\h*(\"|\')?\H+(\"|\')?(,\h*\H+\h*)*\h*(#.*)?$" +FILES='/etc/sudoers*' + +if grep -rPsi "$PATTERN" $FILES >/dev/null 2>&1; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.2.6.sh new file mode 100644 index 0000000..510f285 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.2.6.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +timeout=$(grep -roP "timestamp_timeout=\K[0-9]*" /etc/sudoers* | grep -v "/etc/sudoers.bak") + +if [ -n "$timeout" ]; then + timeout=$(echo "$timeout" | grep -oP "[0-9]+$") +fi + +if [ -z "$timeout" ]; then + timeout=$(sudo -V | grep -oP "(?<=Authentication timestamp timeout: )\d+") +fi + +if [ -z "$timeout" ]; then + timeout=0 +fi + +timeout=${timeout:-0} + +if [ "$timeout" -le 15 ] && [ "$timeout" -gt 0 ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.1.sh new file mode 100644 index 0000000..19eec99 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.1.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +faillock_conf="/etc/security/faillock.conf" +expected_value=5 +if grep -Pq '^\s*#?\s*deny\s*=\s*([0-9]+)' "$faillock_conf"; then + current_value=$(grep -Eo '^\s*#?\s*deny\s*=\s*([0-9]+)' "$faillock_conf" | awk -F'=' '{print $2}' | tr -d ' ') +else + echo "ERROR: deny is not set in $faillock_conf." + exit 1 +fi +if ((current_value <= expected_value)); then + exit 0 +else + echo "ERROR: deny=$current_value is higher than $expected_value" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.2.sh new file mode 100644 index 0000000..2c84f13 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.2.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +faillock_conf="/etc/security/faillock.conf" +expected_value=900 +value="unlock_time" +regex_pattern="^\s*#*\s*${value}\s*=\s*[0-9]+" + +if grep -Eq "$regex_pattern" "$faillock_conf"; then + current_value=$(grep -E "$regex_pattern" "$faillock_conf" | head -n 1 | sed -E "s/.*=\s*([0-9]+)/\1/" | tr -d ' ') + if [[ $current_value =~ ^# ]]; then + echo "ERROR: The line is commented out" + exit 1 + fi + if ((current_value < expected_value)); then + echo "ERROR: unlock_time = $current_value < $expected_value" + exit 1 + else + exit 0 + fi +else + echo "ERROR: No such line found for unlock_time in $faillock_conf" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.3.sh new file mode 100644 index 0000000..0b03ba8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.1.3.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +faillock_conf="/etc/security/faillock.conf" +limit_value=60 + +if grep -Eq "^\s*even_deny_root\s*" "$faillock_conf"; then + echo "Test passed: even_deny_root is correctly enabled." +else + echo "ERROR: even_deny_root is missing or commented out." + exit 1 +fi + +if grep -Eq "^\s*root_unlock_time\s*=\s*[0-9]+\s*" "$faillock_conf"; then + current_value=$(grep -Eo "^\s*root_unlock_time\s*=\s*[0-9]+" "$faillock_conf" | awk -F'=' '{print $2}' | tr -d ' ') + if ((current_value >= limit_value)); then + echo "Test passed: root_unlock_time=$current_value is correctly set." + else + echo "ERROR: root_unlock_time=$current_value is less than $limit_value." + exit 1 + fi +else + echo "ERROR: root_unlock_time is missing or commented out." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.1.sh new file mode 100644 index 0000000..8596d69 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.1.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Configuration file to check +FILE="/etc/security/pwquality.conf" +# Pattern to search for +PATTERN="difok" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\b" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of difok using grep and sed + VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 2 + if [ "$VALUE" -lt 2 ]; then + echo "The value of $PATTERN ($VALUE) is less than 2." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (>= 2)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.2.sh new file mode 100644 index 0000000..1c25ca4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.2.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Configuration file to check +FILE="/etc/security/pwquality.conf" +# Pattern to search for +PATTERN="minlen" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^[[:space:]]*#?[[:space:]]*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^[[:space:]]*#[[:space:]]*$PATTERN\b" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of minlen using grep and sed + VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 14 + if [ "$VALUE" -lt 14 ]; then + echo "The value of $PATTERN ($VALUE) is less than 14." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (>= 14)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.4.sh new file mode 100644 index 0000000..e27b2ae --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.4.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/security/pwquality.conf" +# Pattern to search for +PATTERN="maxrepeat" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of maxrepeat using grep and sed + VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 3 + if [ "$VALUE" -gt 3 ] || [ "$VALUE" -eq 0 ]; then + echo "The value of $PATTERN ($VALUE) is greather than 3 or equal to 0." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (<3 und >0)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.5.sh new file mode 100644 index 0000000..f3f1dc8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.5.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Configuration file to check +FILE="/etc/security/pwquality.conf" +# Pattern to search for +PATTERN="maxsequence" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of maxsequence using grep and sed + VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 3 + if [ "$VALUE" -gt 3 ] || [ "$VALUE" -eq 0 ]; then + echo "The value of $PATTERN ($VALUE) is greather than 3 or equal to 0." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (<3 und >0)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.6.sh new file mode 100644 index 0000000..cae1141 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.2.6.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/security/pwquality.conf" +# Pattern to search for +PATTERN="dictcheck" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^\s*#\s*$PATTERN\b" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of dictcheck using grep and sed + VALUE=$(grep -E "^\s*$PATTERN\s*=\s*[0-9]+" "$FILE" | sed -E 's/.*=\s*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 1 + if [ "$VALUE" -ne 1 ] || [ "$VALUE" -eq 0 ]; then + echo "The value of $PATTERN ($VALUE) is not the best or egal to 0. Updating to $R_VALUE." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (dictcheck = 1)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.3.3.sh new file mode 100644 index 0000000..5e0bb2c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.3.3.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +files_to_check=$(awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*) +if [[ -z $files_to_check ]]; then + echo "file was not found" +else + for file in "$files_to_check"; do + if grep -Eq "pam_pwhistory\.so.*use_authtok" "$file"; then + exit 0 + else + exit 1 + fi + done + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.1.sh new file mode 100644 index 0000000..b05ee3e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.1.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +files_to_check=$(grep -El 'pam_unix\.so\s+([^#\s]+\s+)?nullok\b' /usr/share/pam-configs/*) +if [[ -z "$files_to_check" ]]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.4.sh new file mode 100644 index 0000000..ba88210 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.3.3.4.4.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +files_to_check=$(grep -Elz "Password-Type:.*\n.*pam_unix\.so" /usr/share/pam-configs/*) +if [ -z "$files_to_check" ]; then + echo "No relevant files found." + exit 0 +fi + +for file in $files_to_check; do + if ! grep -Eq "pam_unix\.so.*use_authtok" "$file"; then + exit 1 + fi +done +exit 0 + diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.1.sh new file mode 100644 index 0000000..e9d4f78 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.1.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +# Configuration file to check +FILE="/etc/login.defs" +# Pattern to search for +PATTERN="PASS_MAX_DAYS" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of PASS_MAX_DAYS using grep and sed + VALUE=$(grep -E "^#?\s*$PATTERN\s+[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 365 + if [ "$VALUE" -gt 365 ] || [ "$VALUE" -eq 0 ]; then + echo "The value of $PATTERN ($VALUE) is greather than 365 or egal to 0." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (<=365)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.2.sh new file mode 100644 index 0000000..1dfaa45 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.2.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/login.defs" +# Pattern to search for +PATTERN="PASS_MIN_DAYS" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of PASS_MIN_DAYS using grep and sed + VALUE=$(grep -E "^[[:space:]]*$PATTERN\s*=?\s*[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 0 + if [ "$VALUE" -le 0 ]; then + echo "The value of $PATTERN ($VALUE) is less than 0 or egal to 0." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (>=0)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.3.sh new file mode 100644 index 0000000..da7c69b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.3.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/login.defs" +# Pattern to search for +PATTERN="PASS_WARN_AGE" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -E "^\s*#?\s*$PATTERN\b" "$FILE" >/dev/null +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + grep -E "^#\s*$PATTERN\s+[0-9]+" "$FILE" >/dev/null + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + # Extract the value of PASS_WARN_AGE using grep and sed + VALUE=$(grep -E "^#?\s*$PATTERN\s+[0-9]+" "$FILE" | sed -E 's/[^0-9]*([0-9]+).*/\1/') + + # If the value was found and it's a valid number + if [[ -n "$VALUE" ]]; then + # Compare the extracted value with 7 + if [ "$VALUE" -lt 7 ]; then + echo "The value of $PATTERN ($VALUE) is less than 7 ." + exit 1 + else + echo "The value of $PATTERN ($VALUE) is valid (>=7)." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi +else + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.4.sh new file mode 100644 index 0000000..448c3d7 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.4.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +# Configuration file to check +FILE="/etc/login.defs" +# Pattern to search for +PATTERN="ENCRYPT_METHOD" + +# Check if the configuration file exists +if [ ! -f "$FILE" ]; then + echo "File $FILE not found." + exit 1 +fi + +# Search for the pattern, whether it's commented or not +grep -Eq "^#?\s*$PATTERN\s+\S+$" "$FILE" +FOUND=$? + +# If the pattern is found +if [ $FOUND -eq 0 ]; then + # Check if the pattern is commented + + grep -Eq "^#\s*$PATTERN\s+\S+$" "$FILE" + COMMENTED=$? + + if [ $COMMENTED -eq 0 ]; then + echo "Pattern $PATTERN is commented." + exit 1 + fi + + line=$(grep -E "^\s*$PATTERN\s+\S+$" "$FILE") + if [ -n "$line" ]; then + word=$(echo "$line" | awk '{print $2}') + fi + + if [[ -n "$word" ]]; then + # Compare the extracted word with SHA512 UND YESCRYPT + VALUE1="SHA512" + VALUE2="YESCRYPT" + + if [ "$word" != "$VALUE1" ] && [ "$word" != "$VALUE2" ]; then + echo "The value of $PATTERN ($word) is not good." + exit 1 + else + echo "The value of $PATTERN ($word) is valid (equal to SHA512 or YESCRYPT). No changes needed." + exit 0 + fi + else + echo "No valid value for $PATTERN found." + exit 1 + fi + +else + + echo "Pattern $PATTERN not found." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.5.sh new file mode 100644 index 0000000..971500c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.1.5.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +expected_inactive_days=45 + +if useradd -D | grep -Eq '^\s*INACTIVE\s*=\s*'$expected_inactive_days'\b'; then + echo "Default inactivity period is correct." +else + echo "Default inactivity period is incorrect." + exit 1 +fi + +while IFS=: read -r username password lastchg min max warn inactive_days expire; do + if [[ -z "$inactive_days" || "$inactive_days" == " " ]]; then + continue + fi + + if [[ "$inactive_days" -gt $expected_inactive_days ]]; then + echo "User $username exceeds policy." + exit 1 + fi +done /dev/null +FOUND=$? + +if [ $FOUND -eq 0 ]; then + + echo "The line containing '$PATTERN' is in the File $FILE." + exit 1 +else + echo "$PATTERN is not in the File or not Found" + exit 0 + +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.2.sh new file mode 100644 index 0000000..66f3e7c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.2.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +tmout=$(grep 'typeset -xr TMOUT=900' -- /etc/bashrc /etc/profile /etc/profile.d/*.sh 2>/dev/null) +if [[ -n "$tmout" ]]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.3.sh new file mode 100644 index 0000000..762b687 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/5.4.3.3.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +for file in /etc/profile.d/*.sh; do + if grep -P '^\s*umask\s+0027' "$file" &>/dev/null; then + exit 0 + fi +done + +exit 1 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.1.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.1.3.sh new file mode 100644 index 0000000..ff0893c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.1.3.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +config_file="/etc/aide/aide.conf" +pattern=("/sbin/auditctl" "/sbin/auditd" "/sbin/ausearch" "/sbin/aureport" "/sbin/autrace" "/sbin/augenrules") +if [ ! -f "$config_file" ]; then + exit 0 +fi + +for line in "${pattern[@]}"; do + regex_pattern="^\s*#*\s*${line}\b" + if ! grep -Eq "$regex_pattern" "$config_file"; then + exit 1 + fi +done +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.1.sh new file mode 100644 index 0000000..738e15e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.1.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Path to the auditd configuration file +AUDITD_CONF="/etc/audit/auditd.conf" + +# Check if the file exists +if [[ -f "$AUDITD_CONF" ]]; then + # Use grep to search for the pattern + if grep -qE "^max_log_file[[:space:]]*=[[:space:]]*[0-9]+" "$AUDITD_CONF"; then + exit 0 + else + exit 1 + fi +else + echo "File $AUDITD_CONF does not exist." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.2.sh new file mode 100644 index 0000000..59310ea --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.2.2.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Path to the auditd configuration file +AUDITD_CONF="/etc/audit/auditd.conf" + +# Check if the file exists +if [[ -f "$AUDITD_CONF" ]]; then + # Use grep to search for the exact line + if grep -q "^max_log_file_action[[:space:]]*=[[:space:]]*keep_logs" "$AUDITD_CONF"; then + exit 0 + else + exit 1 + fi +else + echo "File $AUDITD_CONF does not exist." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.1.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.1.sh new file mode 100644 index 0000000..82d7efc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.1.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +on_disk=$(awk '/^ *-w/ &&/\/etc\/sudoers/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk" ]]; then + exit 0 +else + echo "ERROR: Audit rules are NOT correctly set." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.10.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.10.sh new file mode 100644 index 0000000..68d108c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.10.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&/mount/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.12.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.12.sh new file mode 100644 index 0000000..52f851b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.12.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +on_disk=$(awk '/^ *-w/ &&(/\/var\/log\/lastlog/ ||/\/var\/run\/faillock/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk" ]]; then + exit 0 +else + echo "ERROR: Audit rules are NOT correctly set." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.13.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.13.sh new file mode 100644 index 0000000..546a654 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.13.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -S/ &&(/unlink/||/rename/||/unlinkat/||/renameat/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.14.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.14.sh new file mode 100644 index 0000000..4b7b281 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.14.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +on_disk=$(awk '/^ *-w/ &&(/\/etc\/selinux/ ||/\/usr\/share\/selinux/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk" ]]; then + exit 0 +else + echo "ERROR: Audit rules are NOT correctly set." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.15.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.15.sh new file mode 100644 index 0000000..1a955df --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.15.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chcon/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.16.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.16.sh new file mode 100644 index 0000000..7fc8af4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.16.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/setfacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.17.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.17.sh new file mode 100644 index 0000000..60136b8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.17.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/bin\/chacl/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.18.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.18.sh new file mode 100644 index 0000000..802d3e6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.18.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *perm=x/ &&/ -F *path=\/usr\/sbin\/usermod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.19.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.19.sh new file mode 100644 index 0000000..444494e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.19.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F auid!=unset/||/ -F auid!=-1/||/ -F auid!=4294967295/) &&/ -S/ &&(/init_module/ ||/finit_module/ ||/delete_module/ ||/create_module/ ||/query_module/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + echo "ERROR: on_disk != loaded" + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.2.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.2.sh new file mode 100644 index 0000000..191d9bc --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.2.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +on_disk=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&(/ -C *euid!=uid/||/ -C *uid!=euid/) &&/ -S *execve/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk" ]]; then + exit 0 +else + echo "ERROR: Audit rules are NOT correctly set." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.3.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.3.sh new file mode 100644 index 0000000..a949cf6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.3.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +SUDO_LOG_FILE=$(grep -r logfile /etc/sudoers* | grep -v "/etc/sudoers.bak" | sed -e 's/.*logfile=//;s/,? .*//' -e 's/"//g') + +if [ -n "$SUDO_LOG_FILE" ]; then + on_disk=$(grep -E "^\s*-w\s+$SUDO_LOG_FILE\s+-p\s+wa" /etc/audit/rules.d/*.rules) + loaded=$(auditctl -l | grep -E "^\s*-w\s+$SUDO_LOG_FILE\s+-p\s+wa") + if [[ -n "$on_disk" && -n "$loaded" ]]; then + echo "Audit rules are correctly set." + exit 0 + else + echo "ERROR: Audit rules are NOT correctly set or loaded." + exit 1 + fi +else + echo "ERROR: Variable 'SUDO_LOG_FILE' is unset or empty." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.4.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.4.sh new file mode 100644 index 0000000..008e93d --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.4.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +on_disk1=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/adjtimex/ ||/settimeofday/ ||/clock_settime/ ) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +on_disk2=$(awk '/^ *-w/ &&/\/etc\/localtime/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk1" && -n "$on_disk2" ]]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.5.sh new file mode 100644 index 0000000..49fedb4 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.5.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +on_disk1=$(awk '/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&/ -S/ &&(/sethostname/ ||/setdomainname/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +on_disk2=$(awk '/^ *-w/ &&(/\/etc\/issue/ ||/\/etc\/issue.net/ ||/\/etc\/hosts/ ||/\/etc\/network/ ||/\/etc\/netplan/) &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules) + +if [[ -n "$on_disk1" && -n "$on_disk2" ]]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.6.sh new file mode 100644 index 0000000..7e721aa --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.6.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +test_failed=0 +for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + if grep -qr "${PRIVILEGED}" /etc/audit/rules.d; then + printf "OK: '${PRIVILEGED}' found in on-disk configuration.\n" + else + printf "ERROR: '${PRIVILEGED}' not found in on-disk configuration.\n" + test_failed=1 + fi + done +done + +RUNNING=$(auditctl -l) +if [ -n "${RUNNING}" ]; then + for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do + for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do + if printf -- "${RUNNING}" | grep -q "${PRIVILEGED}"; then + printf "OK: '${PRIVILEGED}' found in running configuration.\n" + else + printf "ERROR: '${PRIVILEGED}' not found in running configuration.\n" + test_failed=1 + fi + done + done +else + printf "ERROR: No rules found in running configuration.\n" + test_failed=1 +fi + +# Setze den Exit-Code basierend auf dem Test-Status +if [ "$test_failed" -eq 0 ]; then + exit 0 +else + echo "Some checks failed." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.7.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.7.sh new file mode 100644 index 0000000..930e44e --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.7.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "${UID_MIN}" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&(/ -F *exit=-EACCES/||/ -F *exit=-EPERM/) &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.8.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.8.sh new file mode 100644 index 0000000..e15858c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.8.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +rules_file="/etc/audit/rules.d/50-fbPro-hardening.rules" + +if grep -qE -- '^\s*-w\s+(\/etc\/group|\/etc\/passwd|\/etc\/gshadow|\/etc\/shadow|\/etc\/security\/opasswd|\/etc\/nsswitch\.conf|\/etc\/pam\.conf|\/etc\/pam\.d)' $rules_file && + grep -qE -- '-p\s+wa' $rules_file && + grep -qE -- '(\s*key=\s*[!-~]*\s*|-\s*k\s*[!-~]*\s*)' $rules_file; then + exit 0 +else + echo "ERROR: Audit rules are NOT correctly set." + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.9.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.9.sh new file mode 100644 index 0000000..85f5de5 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.3.9.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +UID_MIN=$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs) + +if [ -n "$UID_MIN" ]; then + on_disk=$(awk "/^ *-a *always,exit/ &&/ -F *arch=b(32|64)/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&(/chmod/||/fchmod/||/fchmodat/ ||/chown/||/fchown/||/fchownat/||/lchown/ ||/setxattr/||/lsetxattr/||/fsetxattr/ ||/removexattr/||/lremovexattr/||/fremovexattr/) &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)" /etc/audit/rules.d/*.rules) + + if [[ -n "$on_disk" ]]; then + exit 0 + else + exit 1 + fi +else + echo "ERROR: Variable 'UID_MIN' is unset.\n" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.5.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.5.sh new file mode 100644 index 0000000..2ce94b1 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.5.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +l_output="" l_output2="" l_perm_mask="0137" +l_maxperm="$(printf '%o' $((0777 & ~$l_perm_mask)))" + +# Capture the output of find into a variable +l_files=$(find /etc/audit/ -type f \( -name "*.conf" -o -name '*.rules' \)) + +# Loop through each file in the list +while IFS= read -r l_fname; do + # Skip empty lines (in case of any) + [ -z "$l_fname" ] && continue + + # Get the file mode + l_mode=$(stat -Lc '%#a' "$l_fname") + + # Check if the file mode matches the permission mask + if [ $((l_mode & l_perm_mask)) -gt 0 ]; then + l_output2="$l_output2\n - file: \"$l_fname\" is mode: \"$l_mode\" (should be mode: \"$l_maxperm\" or more restrictive)" + fi +done <<<"$l_files" + +# Output the results +if [ -z "$l_output2" ]; then + exit 0 +else + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.6.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.6.sh new file mode 100644 index 0000000..2c8adb8 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.6.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +result=$(find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -user root) +if [ -z "$result" ]; then + exit 0 +else + echo "Files found that do not belong to the root user:" + echo "$result" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.7.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.7.sh new file mode 100644 index 0000000..1605d11 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.7.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +result=$(find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \) ! -group root) + +if [ -z "$result" ]; then + exit 0 +else + echo "Files found that do not belong to the root group:" + echo "$result" + exit 1 +fi diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.8.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.8.sh new file mode 100644 index 0000000..b172fc0 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.8.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +perm_mask="0022" +maxperm="$(printf '%o' $((0777 & ~$perm_mask)))" +audit_tools=("/sbin/auditctl" "/sbin/aureport" "/sbin/ausearch" "/sbin/autrace" "/sbin/auditd" "/sbin/augenrules") + +for a_tool in "${audit_tools[@]}"; do + if [ -e "$a_tool" ]; then + mode="$(stat -c '%#a' "$a_tool")" + if ((mode & perm_mask)); then + echo "Error: $a_tool has permissions that are too permissive." + exit 1 + fi + else + echo "Warning: $a_tool does not exist." + fi +done + +unset audit_tools +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.9.sh b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.9.sh new file mode 100644 index 0000000..38475c6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/6.3.4.9.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# List of files to check +files=(/sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules) + +# Go through each file in the list and check if it exists,if a file does not exist print error +for file in "${files[@]}"; do + if [ ! -e "$file" ]; then + echo "Error: at least one file does not exist " + exit 1 + fi +done + +# Loop to check the owner of each file +for file in "${files[@]}"; do + # Check if the file is owned by root + owner=$(stat -c "%U" "$file") + if [ "$owner" != "root" ]; then + echo "Error : $file not owned by root (current owner : $owner)" + exit 1 + fi +done + +echo "All files are owned by root." +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/7.1.10.sh b/ATAPAuditor/Helpers/ShellScripts/common/7.1.10.sh new file mode 100644 index 0000000..8a895d6 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/7.1.10.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +pathOpass='/etc/security/opasswd' +pathOpassOld='/etc/security/opasswd.old' + +for p in "$pathOpass" "$pathOpassOld"; do + if [[ -e $p ]]; then + read a u g < <(stat -c '%#a %u %g' $p) + [[ $((a & 0177)) -gt 0 || $u -ne 0 || $g -ne 0 ]] && exit 1 + fi +done + +exit 0 \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/common/7.1.11.sh b/ATAPAuditor/Helpers/ShellScripts/common/7.1.11.sh new file mode 100644 index 0000000..f583a1c --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/7.1.11.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +##### NOT TESTED PROPERLY, THIS SCRIPT COULD BE CHANGED IN THE FUTURE ##### +smask="01000" + +ignored_paths=( + "/run/user/*" + "/proc/*" + "*/containerd/*" + "*/kubelet/pods/*" + "/sys/*" + "/snap/*" +) + +while read -r path; do + ignored_paths+=("$path/*") +done < <(findmnt -Dkerno fstype,target | awk '$1 ~ /^(nfs|proc|smb|vfat)$/ {print $2}') + +world_writable_files=$(find / \( ! -path "${ignored_paths[0]}" $(printf " -a ! -path %s" "${ignored_paths[@]:1}") \) \ + -type f -perm -0002 2>/dev/null) + +world_writable_dirs=$(find / -type d -perm -0002 ! -perm -$smask $(printf " -a ! -path '%s' " "${ignored_paths[@]}") 2>/dev/null) + +if [ -n "$world_writable_files" ]; then + exit 1 +fi + +if [ -n "$world_writable_dirs" ]; then + exit 1 +fi + +exit 0 diff --git a/ATAPAuditor/Helpers/ShellScripts/common/7.1.12.sh b/ATAPAuditor/Helpers/ShellScripts/common/7.1.12.sh new file mode 100644 index 0000000..9a5b8f2 --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/7.1.12.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +##### NOT TESTED PROPERLY, THIS SCRIPT COULD BE CHANGED IN THE FUTURE ##### + +ignored_paths=( + "/run/user/*" + "/proc/*" + "*/containerd/*" + "*/kubelet/pods/*" + "/sys/*" + "/snap/*" +) + +while read -r path; do + ignored_paths+=("$path/*") +done < <(findmnt -Dkerno fstype,target | awk '$1 ~ /^(nfs|proc|smb|vfat)$/ {print $2}') + +unowned=$(find / -xdev \( ! -path "${ignored_paths[@]}" \) -type f,d \( -nouser -o -nogroup \) 2>/dev/null) + +[[ -n $unowned ]] && exit 1 + +exit 0 \ No newline at end of file diff --git a/ATAPAuditor/Helpers/ShellScripts/common/7.1.9.sh b/ATAPAuditor/Helpers/ShellScripts/common/7.1.9.sh new file mode 100644 index 0000000..ceb547b --- /dev/null +++ b/ATAPAuditor/Helpers/ShellScripts/common/7.1.9.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +file="/etc/shells" + +if [[ ! -e "$file" ]]; then + exit 0 +fi + +mode=$(stat -c "%a" "$file") +uid=$(stat -c "%u" "$file") +gid=$(stat -c "%g" "$file") + +if [[ "$mode" -le 644 && "$uid" -eq 0 && "$gid" -eq 0 ]]; then + exit 0 +else + exit 1 +fi + diff --git a/ATAPAuditor/Reports/Debian 10.ps1 b/ATAPAuditor/Reports/Debian 10.ps1 new file mode 100644 index 0000000..cf7539e --- /dev/null +++ b/ATAPAuditor/Reports/Debian 10.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Debian 10 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "Security baseline for Debian" + ) + Sections = @( + [ReportSection] @{ + Title = "General Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'Security Base Data' + AuditInfos = Test-AuditGroup "SBD - Linux Base Security" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Debian 11.ps1 b/ATAPAuditor/Reports/Debian 11.ps1 new file mode 100644 index 0000000..621a891 --- /dev/null +++ b/ATAPAuditor/Reports/Debian 11.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Debian 11 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Debian 11, Version: 1.0.0, Date: 2022-09-22" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all benchmarks from CIS" + SubSections = @( + [ReportSection] @{ + Title = 'CIS Recommendations' + AuditInfos = Test-AuditGroup "Debian Linux 11-CIS-1.0.0" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Debian 12.ps1 b/ATAPAuditor/Reports/Debian 12.ps1 new file mode 100644 index 0000000..056fc79 --- /dev/null +++ b/ATAPAuditor/Reports/Debian 12.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Debian 12 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Debian 12, Version: 1.0.1, Date: 2024-04-15" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'CIS Recommendations' + AuditInfos = Test-AuditGroup "Debian Linux 12-CIS-1.0.1" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Fedora 35.ps1 b/ATAPAuditor/Reports/Fedora 35.ps1 new file mode 100644 index 0000000..4b868e7 --- /dev/null +++ b/ATAPAuditor/Reports/Fedora 35.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Fedora 35 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "Security baseline for Fedora" + ) + Sections = @( + [ReportSection] @{ + Title = "General Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'Security Base Data' + AuditInfos = Test-AuditGroup "SBD - Linux Base Security" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Google Chrome.ps1 b/ATAPAuditor/Reports/Google Chrome.ps1 new file mode 100644 index 0000000..dd2d506 --- /dev/null +++ b/ATAPAuditor/Reports/Google Chrome.ps1 @@ -0,0 +1,30 @@ +[Report] @{ + Title = 'Google Chrome Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + "CIS Google Chrome Benchmark, Version: 2.0.0, Date: 2019-05-17" + "DISA Google Chrome Security Technical Implementation Guide, Version: V1R15, Date: 2019-01-28" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Recommendations" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Google Chrome-CIS-2.0.0#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Google Chrome-DISA-V1R15#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Edge.ps1 b/ATAPAuditor/Reports/Microsoft Edge.ps1 new file mode 100644 index 0000000..941775c --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Edge.ps1 @@ -0,0 +1,30 @@ +[Report] @{ + Title = 'Microsoft Edge Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + "CIS Microsoft Edge Benchmark, Version: 2.0.0, Date: 2023-09-21" + "Microsoft Edge v117 Security Baseline FINAL, Version: 117, Date: 2024-04-12" + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Edge-CIS-2.0.0#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "MS Baseline" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Edge-Microsoft-117#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft IIS10.ps1 b/ATAPAuditor/Reports/Microsoft IIS10.ps1 new file mode 100644 index 0000000..b9ac0e1 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft IIS10.ps1 @@ -0,0 +1,2915 @@ +using namespace Microsoft.Web.Administration +using namespace Microsoft.Windows.ServerManager.Commands +Import-Module IISAdministration -Force + +$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent +$RootPath = Split-Path $RootPath -Parent +. "$RootPath\Helpers\AuditGroupFunctions.ps1" +$listOfWeakCipherSuites = getListOfWeakCipherSuites +$listOfInsecureCipherSuites = getListOfInsecureCipherSuites +#region Helper Functions +$MESSAGE_ALLGOOD = "All Good" + +function Get-IISSiteVirtualPaths { + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site, + + [switch] $AllVirtualDirectories + ) + + process { + foreach ($App in $Site.Applications) { + Write-Output ($App.Path) + + if ($AllVirtualDirectories) { + foreach ($VirtualDirectory in $App.VirtualDirectories) { + if ($VirtualDirectory.Path -ne "/") { + $AppPath = if ($App.Path -ne "/") { + $App.Path + } + else { + "" + } + Write-Output ($AppPath + $VirtualDirectory.Path) + } + } + } + } + } +} + +function Get-IISModules { + (Get-IISConfigSection -SectionPath "system.webServer/modules").GetCollection() ` + | Get-IISConfigAttributeValue -AttributeName "Name" +} +#endregion + +#region 1 Basic Configuration +# +# This section contains basic Web server-level recommendations + +# 1.1 +function Test-IISVirtualDirPartition { + <# + .Synopsis + Ensure web content is on non-system partition + .Description + Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $SystemDrive = [system.environment]::getenvironmentvariable("SystemDrive") + $Path = $Site.Applications["/"].VirtualDirectories["/"].PhysicalPath + + if ($Path.StartsWith("%SystemDrive%") -or $Path.StartsWith($SystemDrive)) { + $message = "Web content is on system partition" + $audit = "False" + } + + @{ + Id = "1.1" + Task = "Ensure web content is on non-system partition" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 1.2 +function Test-IISHostHeaders { + <# + .Synopsis + Ensure 'host headers' are on all sites + .DESCRIPTION + Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites. Wildcard host headers are now supported. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + [array]$Bindings = $Site.Bindings | Where-Object { [string]::IsNullOrEmpty($_.Host) } + + if ($Bindings.Count -gt 0) { + $message = "The following bindings do no specify a host: " + ($Bindings.bindingInformation -join ", ") + $audit = "False" + } + + @{ + Id = "1.2" + Task = "Ensure 'host headers' is set" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 1.3 +function Test-IISDirectoryBrowsing { + <# + .Synopsis + Ensure 'directory browsing' is set to disabled + .Description + Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in Internet Information Services, users receive a page that lists the contents of the directory when the following two conditions are met: + + 1. No specific file is requested in the URL + 2. The Default Documents feature is disabled in IIS, or if it is enabled, IIS is unable to locate a file in the directory that matches a name specified in the IIS default document list + + It is recommended that directory browsing be disabled. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup){ + # Ensure directory browsing is installed + if ((Get-WindowsFeature Web-Dir-Browsing).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/directoryBrowse" + $section = $Configuration.GetSection($path) + + $Enabled = $section | Get-IISConfigAttributeValue -AttributeName "enabled" + + if ($Enabled -eq $true) { + $message = "Directory Browsing is enabled" + $audit = "False" + } + elseif ($null -eq $Enabled) { + $message = "Directory Browsing not explicit set to false" + $audit = "Warning" + } + } + } + else{ + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + @{ + Id = "1.3" + Task = "Ensure 'directory browsing' is set to disabled" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 1.4 +function Test-IISAppPoolIdentity { + <# + .Synopsis + Ensure 'application pool identity' is configured for all application pools + .Description + Application Pool Identities are the actual users/authorities that will run the worker process - w3wp.exe. Assigning the correct user authority will help ensure that applications can function properly, while not giving overly permissive permissions on the system. These identities can further be used in ACLs to protect system content. It is recommended that each Application Pool run under a unique identity. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [ApplicationPool] $AppPool + ) + + begin { + $AppPoolUsers = (Get-IISAppPool).ProcessModel.Username | Group-Object -NoElement + } + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ($AppPool.ProcessModel.IdentityType -eq [ProcessModelIdentityType]::SpecificUser) { + # Get the username of the specific application + $Username = $AppPool.ProcessModel.UserName + + if (($AppPoolUsers | Where-Object Name -eq $Username).Count -gt 1) { + $message = "ApplicationPoolIdentity $Username is used for more than one ApplicationPool" + $audit = "False" + } + else { + $message = "Unique ApplicationPoolIdentity $Username is used." + $audit = "True" + } + } + elseif ($AppPool.ProcessModel.IdentityType -ne [ProcessModelIdentityType]::ApplicationPoolIdentity) { + $message = "ApplicationPoolIdentity is not set" + $audit = "False" + } + + @{ + Id = "1.4" + Task = "Ensure 'application pool identity' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 1.5 +function Test-IISUniqueSiteAppPool { + <# + .Synopsis + Ensure 'unique application pools' is set for sites + .Description + IIS introduced a new security feature called Application Pool Identities that allows Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. It is recommended that all Sites run under unique, dedicated Application Pools. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $Apps = foreach ($Site in (Get-IISSite)) { + foreach ($App in $Site.Applications) { + New-Object -TypeName PSObject -Property @{ + VirtualPath = $Site.name + $App.path + ApplicationPoolName = $App.ApplicationPoolName + } + } + } + + [array]$Findings = $Apps ` + | Group-Object -Property ApplicationPoolName ` + | Where-Object -Property Count -gt 1 + + if ($Findings.Count -gt 0) { + $message = "Following sites do not have unique Application Pools: " + ($findings.Group.VirtualPath -join ", ") + $audit = "False" + } + + @{ + Id = "1.5" + Task = "Ensure 'unique application pools' is set for sites" + Status = $audit + Message = $message + } | Write-Output +} + +# 1.6 +function Test-IISAnonymouseUserIdentity { + <# + .Synopsis + Ensure 'application pool identity' is configured for anonymous user identity + .Description + To achieve isolation in IIS, application pools can be run as separate identities. IIS can be configured to automatically use the application pool identity if no anonymous user account is configured for a Web site. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier. It is recommended the Application Pool Identity be set as the Anonymous User Identity. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup){ + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.webServer/security/authentication/anonymousAuthentication" + $section = $Configuration.GetSection($path) + + $username = $section | Get-IISConfigAttributeValue -AttributeName "userName" + + if ($username -ne "") { + $message = "Username is set to: $username" + $audit = "False" + } + } + else{ + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "1.6" + Task = "Ensure 'application pool identity' is configured for anonymous user identity" + Status = $audit + Message = $message + } | Write-Output + } +} + +#endregion + +#region 2 Configure Authentication and Authorization +# +# This section contains recommendations around the different layers of authentication in IIS. + +# 2.1 +function Test-IISGlobalAuthorization { + <# + .Synopsis + Ensure 'global authorization rule' is set to restrict access + .Description + IIS introduced URL Authorization, which allows the addition of Authorization rules to the actual URL, instead of the underlying file system resource, as a way to protect it. Authorization rules can be configured at the server, web site, folder (including Virtual Directories), or file level. The native URL Authorization module applies to all requests, whether they are .NET managed or other types of files (e.g. static files or ASP files). It is recommended that URL Authorization be configured to only grant access to the necessary security principals. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure URL Authentication is installed + if ((Get-WindowsFeature Web-Url-Auth).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/authorization" + $section = $Configuration.GetSection($path) + + [array]$elements = $section.GetCollection() ` + | Where-Object { + $accessType = $_ | Get-IISConfigAttributeValue -AttributeName "accessType" + $users = $_ | Get-IISConfigAttributeValue -AttributeName "users" + $roles = $_ | Get-IISConfigAttributeValue -AttributeName "roles" + ($accessType -eq "Allow") -and ($users -eq "*" -or $roles -eq "?") + } + + if ($elements.Count -ne 0) { + $message = "Authorization rule to allow all or anonymous users is set" + $audit = "False" + } + } + else { + $message = "URL Authorization is not installed" + $audit = "Warning" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.1" + Task = "Ensure 'global authorization rule' is set to restrict access" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.2 +function Test-IISAuthenticatedPricipals { + <# + .Synopsis + Ensure access to sensitive site features is restricted to authenticated principals only + .Description + IIS supports both challenge-based and login redirection-based authentication methods. Challenge-based authentication methods, such as Integrated Windows Authentication, require a client to respond correctly to a server-initiated challenge. A login redirection-based authentication method such as Forms Authentication relies on redirection to a login page to determine the identity of the principal. Challenge-based authentication and login redirection-based authentication methods cannot be used in conjunction with one another. + + It is recommended that sites containing sensitive information, confidential data, or non-public web services be configured with a credentials-based authentication mechanism. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" + + if (($mode -ne "Windows") -and ($mode -ne "Forms")) { + $message = "Check authentication principals" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.2" + Task = "Ensure access to sensitive site features is restricted to authenticated principals only" + Status = $audit + Message = $message + } | Write-Output + } + +} + +# 2.3 +function Test-IISFormsAuthenticationSSL { + <# + .Synopsis + Ensure 'forms authentication' require SSL + .Description + Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Forms Authentication be encrypted using SSL. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" + + if ((Get-IISModules) -contains "FormsAuthentication") { + # Ensure authentication mode is set to Forms + if ($mode -eq "Forms") { + + $requireSSL = $section ` + | Get-IISConfigElement -ChildElementName "forms" ` + | Get-IISConfigAttributeValue -AttributeName "requireSSL" + + if (-not $requireSSL) { + $message = "Forms authentication does not require SSL" + $audit = "False" + } + } + } + else { + $message = "Forms authentication is not installed" + $audit = "Warning" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.3" + Task = "Ensure 'forms authentication' require SSL" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.4 +function Test-IISFormsAuthenticationCookies { + <# + .Synopsis + Ensure 'forms authentication' is set to use cookies + .Description + Forms Authentication can be configured to maintain the site visitor's session identifier in either a URI or cookie. It is recommended that Forms Authentication be set to use cookies. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" + + if ((Get-IISModules) -contains "FormsAuthentication") { + if ($mode -eq "Forms") { + $cookieless = $section | Get-IISConfigElement -ChildElementName "forms" ` + | Get-IISConfigAttributeValue -AttributeName "cookieless" + + if ($cookieless -ne "UseCookies") { + $message = "Forms authentication is not set to use cookies" + $audit = "False" + } + } + } + else { + $message = "Forms authentication is not installed" + $audit = "Warning" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.4" + Task = "Ensure 'forms authentication' is set to use cookies" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.5 +function Test-IISFormsAuthenticationProtection { + <# + .Synopsis + Ensure 'cookie protection mode' is configured for forms authentication + .Description + The cookie protection mode defines the protection Forms Authentication cookies will be given within a configured application. + + It is recommended that cookie protection mode always encrypt and validate Forms Authentication cookies. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" + + if ((Get-IISModules) -contains "FormsAuthentication") { + if ($mode -ieq "Forms") { + $protection = $section ` + | Get-IISConfigElement -ChildElementName "forms" ` + | Get-IISConfigAttributeValue -AttributeName "protection" + + if ($protection -ne "All") { + $message = "Cookie Protection Mode is not set to ALL" + $audit = "False" + } + } + } + else { + $message = "Forms authentication is not installed" + $audit = "Warning" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.5" + Task = "Ensure 'cookie protection mode' is configured for forms authentication" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.6 +function Test-IISTLSForBasicAuth { + <# + .Synopsis + Ensure transport layer security for 'basic authentication' is configured + .Description + Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted, especially in cases where the site is publicly accessible and is recommended that TLS be configured and required for any Site or Application using Basic Authentication. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ((Get-WindowsFeature Web-Basic-Auth).InstallState -eq [InstallState]::Installed) { + [array]$httpsBindings = $Site.Bindings | Where-Object -Property Protocol -eq "https" + + $sslFlags = Get-IISConfigSection -Location $Site.Name ` + -SectionPath "system.webServer/security/access" ` + | Get-IISConfigAttributeValue -AttributeName "sslFlags" + + # split the flags into an array + $sslValues = $sslFlags.Split("{,}") + + # Ensure ssl-flag is set + if (-not ($sslValues -contains "ssl")) { + $message = "SSL is not required in configuration" + $audit = "False" + } + # Ensure site has https bindings + elseif ($httpsBindings.Count -eq 0) { + $message = "Site has no secure protocol binding" + $audit = "False" + } + } + + @{ + Id = "2.6" + Task = "Ensure transport layer security for 'basic authentication' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.7 +function Test-IISPasswordFormatNotClear { + <# + .Synopsis + Ensure 'passwordFormat' is not set to clear + .Description + The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $passwordFormat = $section ` + | Get-IISConfigElement -ChildElementName "forms" ` + | Get-IISConfigElement -ChildElementName "credentials" ` + | Get-IISConfigAttributeValue -AttributeName "passwordFormat" + + if ($passwordFormat -eq "Clear" ) { + $message = "Credentials passwordFormat set to 'Clear'" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.7" + Task = "Ensure 'passwordFormat' is not set to clear" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.7 +function Test-IISPasswordFormatNotClearMachineLevel { + <# + .Synopsis + Ensure 'passwordFormat' is not set to clear + .Description + The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() + $passwordFormat = $machineConfig.GetSection("system.web/authentication").forms.credentials.passwordFormat + + if ($passwordFormat -eq "Clear" ) { + $message = "Credentials passwordFormat set to 'Clear'" + $audit = "False" + } + + @{ + Id = "2.7" + Task = "Ensure 'passwordFormat' is not set to clear" + Status = $audit + Message = $message + } | Write-Output +} + +# 2.8 +function Test-IISCredentialsNotStored { + <# + .Synopsis + Ensure 'credentials' are not stored in configuration files + .Description + The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended to avoid storing passwords in the configuration file even in form of hash. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/authentication" + $section = $Configuration.GetSection($path) + + $credentials = $section ` + | Get-IISConfigElement -ChildElementName "forms" ` + | Get-IISConfigElement -ChildElementName "credentials" + + if ($credentials.IsLocallyStored) { + $message = "'credentials' is stored in configuration" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "2.8" + Task = "Ensure 'credentials' are not stored in configuration files" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 2.8 +function Test-IISCredentialsNotStoredMachineLevel { + <# + .Synopsis + Ensure 'credentials' are not stored in configuration files + .Description + The element of the element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended to avoid storing passwords in the configuration file even in form of hash. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() + $credentials = $machineConfig.GetSection("system.web/authentication").forms.credentials + + if ($credentials.ElementInformation.IsPresent) { + $message = "'credentials' is stored in configuration" + $audit = "False" + } + + @{ + Id = "2.8" + Task = "Ensure 'credentials' are not stored in configuration files" + Status = $audit + Message = $message + } | Write-Output +} + +#endregion + +#region 3 ASP.NET Configuration Recommendation +# +# This section contains recommendations specific to ASP.NET. + +# 3.1 +function Test-IISDeploymentMethodRetail { + <# + .Synopsis + Ensure 'deployment method retail' is set + .Description + The switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. Often times, switches and options that are developer-focused, such as failed request tracing and debugging, are enabled during active development. It is recommended that the deployment method on any production server be set to retail. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() + $deployment = $machineConfig.GetSection("system.web/deployment") + + if (-not $deployment.retail) { + $message = "retail is not enabled in machine.config" + $audit = "False" + } + + @{ + Id = "3.1" + Task = "Ensure 'deployment method retail' is set" + Status = $audit + Message = $message + } | Write-Output +} + +# 3.2 +function Test-IISDebugOff { + <# + .Synopsis + Ensure 'debug' is turned off + .Description + Developers often enable the debug mode during active ASP.NET development so that they do not have to continually clear their browsers cache every time they make a change to a resource handler. The problem would arise from this being left "on" or set to "true". Compilation debug output is displayed to the end user, allowing malicious persons to obtain detailed information about applications. + + is recommended that debugging still be turned off. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/compilation" + $section = $Configuration.GetSection($path) + + $debug = $section | Get-IISConfigAttributeValue -AttributeName "debug" + + if ($debug) { + $message = "Debug is ON" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.2" + Task = "Ensure 'debug' is turned off" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.3 +function Test-IISCustomErrorsNotOff { + <# + .Synopsis + Ensure custom error messages are not off + .Description + When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether or not the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. + + It is recommended that customErrors still be turned to On or RemoteOnly. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/customErrors" + $section = $Configuration.GetSection($path) + + $mode = $section | Get-IISConfigAttributeValue -AttributeName "mode" + + if ($mode -eq "Off") { + $message = "Custom errors are 'OFF'" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.3" + Task = "Ensure custom error messages are not off" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.4 +function Test-IISHttpErrorsHidden { + <# + .Synopsis + Ensure IIS HTTP detailed errors are hidden from displaying remotely + .Description + A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.webServer/httpErrors" + $section = $Configuration.GetSection($path) + + $errorMode = $section | Get-IISConfigAttributeValue -AttributeName "errorMode" + + if (($errorMode -ne "Custom") -and ($errorMode -ne "DetailedLocalOnly")) { + $message = "HTTP detailed errors are set to 'Detailed'" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.4" + Task = "Ensure IIS HTTP detailed errors are hidden from displaying remotely" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.5 +function Test-IISAspNetTracingDisabled { + <# + .Synopsis + Ensure ASP.NET stack tracing is not enabled + .Description + A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/trace" + $section = $Configuration.GetSection($path) + + $traceEnabled = $section | Get-IISConfigAttributeValue -AttributeName "enabled" + + if ($traceEnabled) { + $message = "trace is enabled" + $audit = "FALSE" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.5" + Task = "Ensure ASP.NET stack tracing is not enabled" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.5 +function Test-IISAspNetTracingDisabledMachineLevel { + <# + .Synopsis + Ensure ASP.NET stack tracing is not enabled + .Description + A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. This setting can be modified in the errorMode attribute setting for a Web site's error pages. By default, the errorMode attribute is set in the Web.config file for the Web site or application and is located in the element of the section. It is recommended that custom errors be prevented from displaying remotely. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $machineConfig = [System.Configuration.ConfigurationManager]::OpenMachineConfiguration() + $trace = $machineConfig.GetSection("system.web/trace") + + if ($trace.enabled) { + $message = "trace is enabled in machine.config" + $audit = "FALSE" + } + + @{ + Id = "3.5" + Task = "Ensure ASP.NET stack tracing is not enabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 3.6 +function Test-IISCookielessSessionState { + <# + .Synopsis + Ensure 'httpcookie' mode is configured for session state + .Description + A session cookie associates session information with client information for that session, which can be the duration of a user's connection to a site. The cookie is passed in a HTTP header together with all requests between the client and server. + + It is recommended that session state be configured to UseCookies. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/sessionState" + $section = $Configuration.GetSection($path) + + $cookieless = $section | Get-IISConfigAttributeValue -AttributeName "cookieless" + + if (($cookieless -ne "UseCookies") -and ($cookieless -ne "False")) { + $message = "sessionState set to $cookieless" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.6" + Task = "Ensure 'httpcookie' mode is configured for session state" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.7 +function Test-IISCookiesHttpOnly { + <# + .Synopsis + Ensure 'cookies' are set with HttpOnly attribute + .Description + The httpOnlyCookies attribute of the httpCookies node determines if IIS will set the HttpOnly flag on HTTP cookies it sets. The HttpOnly flag indicates to the user agent that the cookie must not be accessible by client-side script (i.e document.cookie). It is recommended that the httpOnlyCookies attribute be set to true. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.web/httpCookies" + $section = $Configuration.GetSection($path) + + $httpOnlyCookies = $section | Get-IISConfigAttributeValue -AttributeName "httpOnlyCookies" + + if (-not $httpOnlyCookies) { + $message = "httpOnlyCookies set to $httpOnlyCookies" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "3.7" + Task = "Ensure 'cookies' are set with HttpOnly attribute" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.8 +function Test-IISMachineKeyValidation { + <# + .Synopsis + Ensure 'MachineKey validation method - .Net 3.5' is configured + .Description + The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. + + It is recommended that AES or SHA1 methods be configured for use at the global level. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $siteAppPool = $Site.Applications["/"].ApplicationPoolName + $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion + + # Ensure ApplicationPool running is .NET 3.5 (which is an extension of 2.0 so we look for 2.*) + if ($appPoolVersion -like "v2.*") { + + $validation = Get-IISConfigSection -CommitPath $Site.Name ` + -SectionPath "system.web/machineKey" ` + | Get-IISConfigAttributeValue -AttributeName "Validation" + + if ($validation -ne "SHA1") { + $message = "Validation set to $validation" + $audit = "False" + } + } + + @{ + Id = "3.8" + Task = "Ensure 'MachineKey validation method - .Net 3.5' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.9 +function Test-IISMachineKeyValidationV45 { + <# + .Synopsis + Ensure 'MachineKey validation method - .Net 4.5' is configured + .Description + The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. The Machine Key feature can be managed to specify hashing and encryption settings for application services such as view state, Forms authentication, membership and roles, and anonymous identification. + + It is recommended that SHA-2 methods be configured for use at the global level. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $siteAppPool = $site.Applications["/"].ApplicationPoolName + $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion + + # Ensure an ApplicationPool is running .NET 4.5 + if ($appPoolVersion -like "v4.*") { + $validation = Get-IISConfigSection -CommitPath $Site.name ` + -SectionPath "system.web/machineKey" ` + | Get-IISConfigAttributeValue -AttributeName "Validation" + + if (($validation -ne "HMACSHA256") -and ($validation -ne "HMACSHA512")) { + $message = "Validation set to $validation" + $audit = "False" + } + } + + @{ + Id = "3.9" + Task = "Ensure 'MachineKey validation method - .Net 4.5' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 3.10 +function Test-IISDotNetTrustLevel { + <# + .Synopsis + Ensure global .NET trust level is configured + .Description + An application's trust level determines the permissions that are granted by the ASP.NET code access security (CAS) policy. CAS defines two trust categories: full trust and partial trust. An application that has full trust permissions may access all resource types on a server and perform privileged operations, while applications that run with partial trust have varying levels of operating permissions and access to resources. + + It is recommended that the global .NET Trust Level be set to Medium or lower. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $siteAppPool = $site.Applications["/"].ApplicationPoolName + $appPoolVersion = (Get-IISAppPool -Name $siteAppPool).managedRuntimeVersion + + if ($appPoolVersion -like "v4.*") { + $message = "This only applies to .Net 2.0. Future versions have stopped supporting this feature." + $audit = "None" + } + else { + $level = Get-IISConfigSection -CommitPath $Site.name ` + -SectionPath "system.web/trust" ` + | Get-IISConfigAttributeValue -AttributeName "level" + + # medium trust level should be set in .NET 2.*, but not in later versions + if (($appPoolVersion -like "v2.*" -and $level -ne "medium" -or $level -ne "low" -or $level -ne "minimal") ` + -or ($appPoolVersion -notlike "v4.*" -and -not [string]::IsNullOrEmpty($appPoolVersion))) { + $message = "TrustLevel set to $level" + $audit = "False" + } + } + + @{ + Id = "3.10" + Task = "Ensure global .NET trust level is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +#endregion + +#region 4 Request Filtering and Other Restriction Modules +# +# Request Filtering is a powerful module that provides a configurable set of rules that enables administrators to allow or reject the types of requests that they determine should be allowed or rejected at the server, web site, or web application levels. + + +# 4.1 +function Test-IISMaxAllowedContentLength { + <# + .Synopsis + Ensure 'maxAllowedContentLength' is configured + .Description + The maxAllowedContentLength Request Filter is the maximum size of the http request, measured in bytes, which can be sent from a client to the server. Configuring this value enables the total request size to be restricted to a configured value. It is recommended that the overall size of requests be restricted to a maximum value appropriate for the server, site, or application. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + $maxContentLength = $section ` + | Get-IISConfigElement -ChildElementName "requestLimits" ` + | Get-IISConfigAttributeValue -AttributeName "maxAllowedContentLength" + + if ($maxContentLength -ge 0) { + $message += "`n maxContentLength: $maxContentLength" + } + else { + $message = "maxContentLength not configured" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.1" + Task = "Ensure 'maxAllowedContentLength' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.2 +function Test-IISMaxURLRequestFilter { + <# + .Synopsis + Ensure 'maxURL request filter' is configured + .Description + The maxURL attribute of the property is the maximum length (in Bytes) in which a requested URL can be (excluding query string) in order for IIS to accept. Configuring this Request Filter enables administrators to restrict the length of the requests that the server will accept. It is recommended that a limit be put on the length of URL. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + $maxURLRequestFilter = $section ` + | Get-IISConfigElement -ChildElementName "requestLimits" ` + | Get-IISConfigAttributeValue -AttributeName "maxURL" + + if ($maxURLRequestFilter -ge 1) { + $message += "`n maxURLRequestFilter: $maxURLRequestFilter" + } + else { + $message = "maxURLRequestFilter not configured" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + + @{ + Id = "4.2" + Task = "Ensure 'maxURL request filter' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.3 +function Test-IISMaxQueryStringRequestFilter { + <# + .Synopsis + Ensure 'MaxQueryString request filter' is configured + .Description + The MaxQueryString Request Filter describes the upper limit on the length of the query string that the configured IIS server will allow for websites or applications. It is recommended that values always be established to limit the amount of data will can be accepted in the query string. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + $maxQueryStringRequestFilter = $section ` + | Get-IISConfigElement -ChildElementName "requestLimits" ` + | Get-IISConfigAttributeValue -AttributeName "maxQueryString" + + if ($maxQueryStringRequestFilter -ge 1) { + $message += "`n maxQueryStringRequestFilter: $maxQueryStringRequestFilter" + } + else { + $message = "maxQueryStringRequestFilter not configured" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.3" + Task = "Ensure 'MaxQueryString request filter' is configured" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.4 +function Test-IISNonASCIICharURLForbidden { + <# + .Synopsis + Ensure non-ASCII characters in URLs are not allowed + .Description + This feature is used to allow or reject all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScan equivalent is AllowHighBitCharacters. It is recommended that requests containing non-ASCII characters be rejected, where possible. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + $allowHighBitCharacters = $section ` + | Get-IISConfigAttributeValue -AttributeName "allowHighBitCharacters" + + if ($allowHighBitCharacters) { + $message = "non-ASCII characters in URLs are allowed" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.4" + Task = "Ensure non-ASCII characters in URLs are not allowed" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.5 +function Test-IISRejectDoubleEncodedRequests { + <# + .Synopsis + Ensure Double-Encoded requests will be rejected + .Description + This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected. + #> + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + $allowDoubleEscaping = $section` + | Get-IISConfigAttributeValue -AttributeName "allowDoubleEscaping" + + if ($allowDoubleEscaping) { + $message = "Rejecting Double-Encoded requests not set" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.5" + Task = "Ensure Double-Encoded requests will be rejected" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.6 +function Test-IISHTTPTraceMethodeDisabled { + <# + .Synopsis + Ensure 'HTTP Trace Method' is disabled + .Description + The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request. One such way to mitigate this is by using the element of the collection. The element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan. It is recommended the HTTP TRACE method be denied. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = "HTTP Trace Method is not filtered" + $audit = "False" + + # Ensure request filering is installed + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + $section = $Configuration.GetSection($path) + + [array]$httpTraceMethod = $section.GetCollection("verbs") ` + | Where-Object { + $trace = $_ | Get-IISConfigAttributeValue -AttributeName "verb" + $allowed = $_ | Get-IISConfigAttributeValue -AttributeName "allowed" + ($trace -eq "trace") -and (-not $allowed) + } + + if ($httpTraceMethod.Count -eq 1) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.6" + Task = "Ensure 'HTTP Trace Method' is disabled" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.7 +function Test-IISBlockUnlistedFileExtensions { + <# + .Synopsis + Ensure Unlisted File Extensions are not allowed + .Description + The FileExtensions Request Filter allows administrators to define specific extensions their web server(s) will allow and disallow. The property allowUnlisted will cover all other file extensions not explicitly allowed or denied. Often times, extensions such as .config, .bat, .exe, to name a few, should never be served. The AllowExtensions and DenyExtensions options are the UrlScan equivalents. It is recommended that all extensions be unallowed at the most global level possible, with only those necessary being allowed. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ((Get-WindowsFeature Web-Filtering).InstallState -eq [InstallState]::Installed) { + $path = "system.webServer/security/requestFiltering" + + $section = $Configuration.GetSection($path) + + $allowUnlisted = $section ` + | Get-IISConfigElement -ChildElementName "fileExtensions" ` + | Get-IISConfigAttributeValue -AttributeName "allowUnlisted" + + + if ($allowUnlisted) { + $message = "Unlisted file extensions allowed" + $audit = "False" + } + } + else { + $message = "Request Filering is not installed" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.7" + Task = "Ensure Unlisted File Extensions are not allowed" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.8 +function Test-IISHandlerDenyWrite { + <# + .Synopsis + Ensure Handler is not granted Write and Script/Execute + .Description + Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/``Script or Write permissions, but not both. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "system.webServer/handlers" + $section = $Configuration.GetSection($path) + $accessPolicy = ($section | Get-IISConfigAttributeValue -AttributeName "accessPolicy").Split(",") + + if ((($accessPolicy -contains "Script") -or ($accessPolicy -contains "Execute")) ` + -and ($accessPolicy -contains "Write")) { + $message = "Handler is granted write and script/execute" + $audit = "False" + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "4.8" + Task = "Ensure Handler is not granted Write and Script/Execute" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 4.9 +function Test-IISIsapisNotAllowed { + <# + .Synopsis + Ensure 'notListedIsapisAllowed' is set to false + .Description + The notListedIsapisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the element of the section under . This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. It is recommended that notListedIsapisAllowed be set to false. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + try { + $isapiCgiRestriction = Get-IISConfigSection ` + -SectionPath "system.webServer/security/isapiCgiRestriction" ` + | Get-IISConfigAttributeValue -AttributeName "notListedIsapisAllowed" + + # Verify that the notListedIsapisAllowed attribute in the element is set to false + if ($isapiCgiRestriction) { + $message = "IsapiCgiRestriction 'notListedIsapisAllowed' not set to false" + $audit = "False" + } + } + catch { + $message = "Cannot get setting 'notListedIsapisAllowed' for IsapiCgiRestriction" + $audit = "False" + } + + @{ + Id = "4.9" + Task = "Ensure 'notListedIsapisAllowed' is set to false" + Status = $audit + Message = $message + } | Write-Output +} + +# 4.10 +function Test-IISCgisNotAllowed { + <# + .Synopsis + Ensure 'notListedCgisAllowed' is set to false + .Description + The notListedCgisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the element of the section under . This element ensures that malicious users cannot copy unauthorized CGI binaries to the Web server and then run them. It is recommended that notListedCgisAllowed be set to false. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + try { + $isapiCgiRestriction = Get-IISConfigSection ` + -SectionPath "system.webServer/security/isapiCgiRestriction" ` + | Get-IISConfigAttributeValue -AttributeName "notListedCgisAllowed" + + # Verify that the notListedCgisAllowed attribute in the element is set to false + if ($isapiCgiRestriction) { + $message = "IsapiCgiRestriction 'notListedCgisAllowed' not set to false" + $audit = "False" + } + } + catch { + $message = "Cannot get setting 'notListedCgisAllowed' for IsapiCgiRestriction" + $audit = "False" + } + + @{ + Id = "4.10" + Task = "Ensure 'notListedCgisAllowed' is set to false" + Status = $audit + Message = $message + } | Write-Output +} + +# 4.11 +function Test-IISDynamicIPRestrictionEnabled { + <# + .Synopsis + Ensure 'Dynamic IP Address Restrictions' is enabled + .Description + IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + # Ensure the windows feature is installed + if ((Get-WindowsFeature Web-Ip-Security).InstallState -ne [InstallState]::Installed) { + $message = "`"IP and Domain Restrictions`" must be installed to enabled `"Dynamic IP Address Restrictions`"" + $audit = "False" + } + else { + $dynamicIpSecurity = Get-IISConfigSection -Location $Site.Name ` + -SectionPath "system.webServer/security/dynamicIpSecurity" + + $denyByConcurrentRequests = $dynamicIpSecurity ` + | Get-IISConfigElement -ChildElementName "denyByConcurrentRequests" ` + | Get-IISConfigAttributeValue -AttributeName "enabled" + + $denyByRequestRate = $dynamicIpSecurity ` + | Get-IISConfigElement -ChildElementName "denyByRequestRate" ` + | Get-IISConfigAttributeValue -AttributeName "enabled" + + if ($denyByConcurrentRequests -and -not $denyByRequestRate) { + $message = "Deny IP Address based on the number of requests over a period of time disabled" + $audit = "False" + } + elseif (-not $denyByConcurrentRequests -and $denyByRequestRate) { + $message = "Deny IP Address based on the number of concurrent requests disabled" + $audit = "False" + } + elseif (-not $denyByConcurrentRequests -and -not $denyByRequestRate) { + $message = "Dynamic IP Restriction disabled" + $audit = "False" + } + } + + @{ + Id = "4.11" + Task = "Ensure 'Dynamic IP Address Restrictions' is enabled" + Status = $audit + Message = $message + } | Write-Output + } +} + +#endregion + +#region 5 IIS Logging Recommendations +# +# This section contains recommendations regarding IIS logging that have not been covered in the Basic Configurations section. + +# 5.1 +function Test-IISLogFileLocation { + <# + .Synopsis + Ensure Default IIS web log location is moved + .Description + IIS will log relatively detailed information on every request. These logs are usually the first item looked at in a security response, and can be the most valuable. Malicious users are aware of this, and will often try to remove evidence of their activities. It is therefore recommended that the default location for IIS log files be changed to a restricted, non-system drive. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $logFileLocation = ($Site.logFile.Directory).replace("%SystemDrive%", $env:SystemDrive) + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ($logFileLocation.StartsWith($env:SystemDrive)) { + $message = "Logfile location is on system drive: $logFileLocation" + $audit = "False" + } + + @{ + Id = "5.1" + Task = "Ensure Default IIS web log location is moved" + Status = $audit + Message = $message + } | Write-Output + } +} + +# 5.2 +function Test-IISAdvancedLoggingEnabled { + <# + .Synopsis + Ensure Advanced IIS logging is enabled + .Description + IIS Advanced Logging is a module which provides flexibility in logging requests and client data. It provides controls that allow businesses to specify what fields are important, easily add additional fields, and provide policies pertaining to log file rollover and Request Filtering. HTTP request/response headers, server variables, and client-side fields can be easily logged with minor configuration in the IIS management console. It is recommended that Advanced Logging be enabled, and the fields which could be of value to the type of business or application in the event of a security incident, be identified and logged. + #> + + # check site defaults + + @{ + Id = "5.2" + Task = "Ensure Advanced IIS logging is enabled" + Status = "None" + Message = "Advanced Logging is not available for IIS 10. See enhanced logging instead." + } | Write-Output +} + +# 5.3 +function Test-IISETWLoggingEnabled { + <# + .Synopsis + Ensure 'ETW Logging' is enabled + .Description + IIS introduces a new logging method. Administrators can now send logging information to Event Tracing for Windows (ETW) + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] $Site + ) + + process { + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if (-not ($Site.logFile.logTargetW3C -like "*ETW*")) { + $message = "ETW Logging disabled" + $audit = "False" + } + + @{ + Id = "5.3" + Task = "Ensure 'ETW Logging' is enabled" + Status = $audit + Message = $message + } | Write-Output + } +} + +#endregion + +#region 6 FTP Requests +# +# This section contains a crucial configuration setting for running file transfer protocol (FTP). + +# 6.1 +function Test-IISFtpRequestsEncrypted { + <# + .Synopsis + Ensure FTP requests are encrypted + .Description + The new FTP Publishing Service for IIS supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is an RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { + try { + $sslConfigElement = Get-IISConfigSection ` + -SectionPath "system.applicationHost/sites" ` + | Get-IISConfigElement -ChildElementName "siteDefaults" ` + | Get-IISConfigElement -ChildElementName "ftpServer" ` + | Get-IISConfigElement -ChildElementName "security" ` + | Get-IISConfigElement -ChildElementName "ssl" + + $controlChannelPolicy = $sslConfigElement ` + | Get-IISConfigAttributeValue -AttributeName "controlChannelPolicy" + + $dataChannelPolicy = $sslConfigElement ` + | Get-IISConfigAttributeValue -AttributeName "dataChannelPolicy" + + if (($controlChannelPolicy -ne "SslRequire") -or ($dataChannelPolicy -ne "SslRequire")) { + $message = "Found following settings: `n controlChannelPolicy: $controlChannelPolicy `n dataChannelPolicy: $dataChannelPolicy" + $audit = "False" + } + } + catch { + $message = "Cannot get FTP security setting" + $audit = "False" + } + } + else { + $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" + $audit = "None" + } + + @{ + Id = "6.1" + Task = "Ensure FTP requests are encrypted" + Status = $audit + Message = $message + } | Write-Output +} + +# 6.2 +function Test-IISFtpLogonAttemptRestriction { + <# + .Synopsis + Ensure FTP Logon attempt restrictions is enabled + .Description + IIS introduced a built-in network security feature to automatically block brute force FTP attacks. This can be used to mitigate a malicious client from attempting a brute-force attack on a discovered account, such as the local administrator account. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + if ((Get-WindowsFeature Web-Ftp-Server).InstallState -eq [InstallState]::Installed) { + try { + $denyByFailure = Get-IISConfigSection ` + -SectionPath "system.ftpServer/security/authentication" ` + | Get-IISConfigElement -ChildElementName "denyByFailure" + + $enabled = $denyByFailure ` + | Get-IISConfigAttributeValue -AttributeName "enabled" + $maxFailure = $denyByFailure ` + | Get-IISConfigAttributeValue -AttributeName "maxFailure" + $entryExpiration = $denyByFailure ` + | Get-IISConfigAttributeValue -AttributeName "entryExpiration" + $loggingOnlyMode = $denyByFailure ` + | Get-IISConfigAttributeValue -AttributeName "loggingOnlyMode" + + if (($enabled) -and ($maxFailure -gt 0) -and ($entryExpiration -gt 0) -and (-not $loggingOnlyMode)) { + # All good + } + elseif (-not $enabled ) { + $message = "Feature disabled" + $audit = "False" + } + else { + $message = "Feature enabled, but check settings. Found: `n maxFailure: " ` + + $maxFailure + "`n entryExpiration: " ` + + $entryExpiration + "`n Only logging mode: " ` + + $loggingOnlyMode + $audit = "False" + } + } + catch { + $audit = "False" + $message = "Cannot get FTP Logon attempt settings" + } + } + else { + $message = "Skipped this benchmark - right now Web-Ftp-Server is not installed" + $audit = "None" + } + + @{ + Id = "6.2" + Task = "Ensure FTP Logon attempt restrictions is enabled" + Status = $audit + Message = $message + } | Write-Output +} + +#endregion + +#region 7 Transport Encryption +# +# This section contains recommendations for configuring IIS protocols and cipher suites. + +# 7.1 +function Test-IISHSTSHeaderSet { + <# + .Synopsis + Ensure HSTS Header is set + .Description + HTTP Strict Transport Security (HSTS) allows a site to inform the user agent to communicate with the site only over HTTPS. This header takes two parameters: max-age, "specifies the number of seconds, after the reception of the STS header field, during which the user agent regards the host (from whom the message was received) as a Known HSTS Host [speaks only HTTPS]"; and includeSubDomains. includeSubDomains is an optional directive that defines how this policy is applied to subdomains. If includeSubDomains is included in the header, it provides the following definition: this HSTS Policy also applies to any hosts whose domain names are subdomains of the Known HSTS Host's domain name. + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] $Configuration + ) + + process { + #Ensure $Configuration is not empty + if ($Configuration.RootSectionGroup) { + $message = "HSTS Header not set" + $audit = "False" + + $path = "system.webServer/httpProtocol" + $section = $Configuration.GetSection($path) + + [array]$customHeaders = $section.GetCollection("customHeaders") ` + | Where-Object { + $name = $_ | Get-IISConfigAttributeValue -AttributeName "name" + $name -eq "Strict-Transport-Security" + } + + if ($customHeaders.Count -eq 1) { + $value = $customHeaders[0] | Get-IISConfigAttributeValue -AttributeName "value" + $pattern = [regex]::new("max-age=(?[0-9]*)") + $match = $pattern.Match($value) + + if ($match.Success) { + [int]$maxAge = $match.Groups["maxage"].Value + if ($maxAge -eq 0) { + $message = "Max-age should be at least be higher than 0. It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" + $audit = "False" + } + elseif ($maxAge -lt 480) { + $message = "It is recommended to set max-age to at least 480 seconds. Max-age is set at $maxAge" + $audit = "Warning" + } + else { + $message = $MESSAGE_ALLGOOD + ". Max-age is set at $maxAge" + $audit = "True" + } + } + } + } + else { + $message = "Cannot read configuration file, the reference to the directory may not be correct or present" + $audit = "Warning" + } + + @{ + Id = "7.1" + Task = "Ensure HSTS Header is set" + Status = $audit + Message = $message + } | Write-Output + } + +} + +# 7.2 +function Test-IISSSL2Disabled { + <# + .Synopsis + Ensure SSLv2 is disabled + .Description + This protocol is not considered cryptographically secure. Disabling it is recommended. This protocol is disabled by default if the registry key is not present. A reboot is required for these changes to be reflected. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" + + # SSL is disabled by default + # if $path exists, $path/server should also exist + if ((Test-Path $path) -and (Test-Path "$path\Server")) { + # Ensure the following key exists + $Key = Get-Item "$path\Server" + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" + # Ensure it is set to 0 + if ($value -ne 0) { + $message = "SSL 2.0 is enabled" + $audit = "False" + } + } + } + + @{ + Id = "7.2" + Task = "Ensure SSLv2 is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.3 +function Test-IISSSL3Disabled { + <# + .Synopsis + Ensure SSLv3 is disabled + .Description + This protocol is not considered cryptographically secure. Disabling it is recommended. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0" + + # SSL is disabled by default + # if $path exists, $path/server should also exist + if ((Test-Path $path) -and (Test-Path "$path\Server")) { + # Ensure the following key exists + $Key = Get-Item "$path\Server" + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" + # Ensure it is set to 0 + if ($value -ne 0) { + $message = "SSL 3.0 is enabled" + $audit = "False" + } + } + } + + @{ + Id = "7.3" + Task = "Ensure SSLv3 is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.4 +function Test-IISTLSDisabled { + <# + .Synopsis + Ensure TLS 1.0 is disabled + .Description + The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL: + + SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. + #> + + $message = "TLS 1.0 is enabled" + $audit = "False" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" + + # TLS 1.0 is enabled by default + if (Test-Path $path) { + # Ensure the following key exists + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + # Ensure it is set to 0 + if ($value -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + elseif ($null -ne $Key.GetValue("DisabledByDefault", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "DisabledByDefault" + # Ensure it is set to 1 + if ($value -eq 1) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + + @{ + Id = "7.4" + Task = "Ensure TLS 1.0 is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.5 +function Test-IISTLS1_1Disabled { + <# + .Synopsis + Ensure TLS 1.1 is disabled + .Description + TLS 1.1 is required for backward compatibility. Ensure you fully test your application to ensure that backwards compatibility is not needed. If it is, build in exceptions as necessary for backwards compatibility. + #> + + $message = "TLS 1.1 is enabled" + $audit = "False" + + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" + + # TLS is enabled by default + if (Test-Path $path) { + # Ensure the following key exists + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + # Ensure it is set to 0 + if ($value -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + elseif ($null -ne $Key.GetValue("DisabledByDefault", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "DisabledByDefault" + # Ensure it is set to 1 + if ($value -eq 1) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + + @{ + Id = "7.5" + Task = "Ensure TLS 1.1 is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.6 +function Test-IISTLS1_2Enabled { + <# + .Synopsis + Ensure TLS 1.2 is enabled + .Description + TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic. Enabling TLS 1.2 is recommended. This protocol is enabled by default if the registry key is not present. As with any registry changes, a reboot is required for changes to take effect. + #> + + $message = $MESSAGE_ALLGOOD + $audit = "True" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" + + # if $path exists, $path/server should also exist + # TLS 1.2 is enabled by default + if ((Test-Path $path) -and (Test-Path "$path\Server")) { + # Ensure the following key exists + $Key = Get-Item "$path\Server" + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "Enabled" + if ($value -ne 1) { + $message = "TLS 1.2 is disabled" + $audit = "False" + } + } + else { + $message = "TLS 1.2 is disabled" + $audit = "False" + } + + if ($null -ne $Key.GetValue("DisabledByDefault", $null)) { + # Get-ItemProperty returns a [UInt32] + $value = Get-ItemProperty "$path\Server" | Select-Object -ExpandProperty "DisabledByDefault" + if ($value -ne 0) { + $message = "TLS 1.2 is disabled by default" + $audit = "False" + } + } + else { + $message = "TLS 1.2 is disabled" + $audit = "False" + } + } + + @{ + Id = "7.6" + Task = "Ensure TLS 1.2 is enabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.7 +function Test-IISNullCipherDisabled { + <# + .Synopsis + Ensure NULL Cipher Suites is disabled + .Description + The NULL cipher does not provide data confidentiality or integrity. It is recommended that the NULL cipher be disabled. + #> + + $message = "NULL cipher is enabled" + $audit = "False" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\" + + if (Test-Path $path) { + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + if ($value -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + else { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + + @{ + Id = "7.7" + Task = "Ensure NULL Cipher Suites is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.8 +function Test-IISDESCipherDisabled { + <# + .Synopsis + Ensure DES Cipher Suites is disabled + .Description + DES is a weak symmetric-key cipher. It is recommended that it be disabled. + #> + + $message = "DES cipher is enabled" + $audit = "False" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56\" + + if (Test-Path $path) { + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + if ($value -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + else { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + + @{ + Id = "7.8" + Task = "Ensure DES Cipher Suites is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.9 +function Test-IISRC4CipherDisabled { + <# + .Synopsis + Ensure RC4 Cipher Suites is disabled + .Description + RC4 is a stream cipher that has known practical attacks. It is recommended that RC4 be disabled. The only RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128. + #> + + $rc4Ciphers = @("RC4 40/128", "RC4 56/128", "RC4 64/128", "RC4 128/128") + + $index = 1 + foreach ($rc4Cipher in $rc4Ciphers) { + $message = "$rc4Cipher cipher is enabled" + $audit = "False" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$rc4Cipher\" + + if (Test-Path $path) { + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + if ($value -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + else { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + + @{ + Id = "7.9.$index" + Task = "Ensure RC4 Cipher Suites is disabled" + Status = $audit + Message = $message + } | Write-Output + + $index++ + } +} + +# 7.10 +function Test-IISAES128Disabled { + <# + .Synopsis + Ensure AES 128/128 Cipher Suite is configured + .Description + Enabling AES 128/128 may be required for client compatibility. Enable or disable this cipher suite accordingly. + #> + + $message = "AES 128/128 Cipher Suite is still enabled" + $audit = "False" + + try { + # Get-ItemProperty returns a [UInt32] + $enabled = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128\" ` + -ErrorAction Stop ` + | Select-Object ` + -ExpandProperty Enabled + + if ($enabled -eq 0) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + + } + catch { + # do anything here + } + + # If the key/value is not present,Triple AES 128/128 Cipher is disabled + + @{ + Id = "7.10" + Task = "Ensure AES 128/128 Cipher Suite is disabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.11 +function Test-IISAES256Enabled { + <# + .Synopsis + Ensure AES 256/256 Cipher Suite is enabled + .Description + AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2. + #> + + $message = "AES 256/256 Cipher is disabled" + $audit = "False" + + $path = "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256\" + + if (Test-Path $path) { + $Key = Get-Item $path + if ($null -ne $Key.GetValue("Enabled", $null)) { + $value = Get-ItemProperty $path | Select-Object -ExpandProperty "Enabled" + if ($value -eq 1) { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + } + } + else { + $message = $MESSAGE_ALLGOOD + $audit = "True" + } + + @{ + Id = "7.11" + Task = "Ensure AES 256/256 Cipher Suite is enabled" + Status = $audit + Message = $message + } | Write-Output +} + +# 7.12 +function Test-IISTLSCipherOrder { + <# + .Synopsis + Ensure TLS Cipher Suite ordering is configured + .Description + Cipher suites are a named combination of authentication, encryption, message authentication code, and key exchange algorithms used for the security settings of a network connection using TLS protocol. Clients send a cipher list and a list of ciphers that it supports in order of preference to a server. The server then replies with the cipher suite that it selects from the client cipher suite list. + #> + $task = "Ensure TLS Cipher Suite ordering is correctly configured" + $id = "7.12" + try { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + #check if correct type + $typeTable = @{ + "String" = "String Value" + "Byte" = "Byte Value" + "Int32" = "DWORD (32-bit) Value" + "Int64" = "QWORD (64-bit) Value" + "String[]" = "Multi-String Value" + } + + $currentType = $typeTable[$res] + if ($res -ne [String]) { + @{ + Id = $id + Task = $task + Status = "False" + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'" + } | Write-Output + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue.Split(',') + $regValues = $regValues -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + #Default status + $status = "Error" + + #Output + $verbInsecure = "rules have" + $verbWeak = "rules have" + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + @{ + Id = $id + Task = $task + Status = $status + Message = $message + } | Write-Output + } + + if ($regValue -ne $reference) { + @{ + Id = $id + Task = $task + Status = "True" + Message = "Compliant" + } | Write-Output + } + } + catch { + $regValue = Get-ItemProperty -ErrorAction Stop ` + -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" ` + -Name "Functions" + $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + $res = $regValue.Functions.GetType().Name + + #check if correct type + $typeTable = @{ + "String" = "String Value" + "Byte" = "Byte Value" + "Int32" = "DWORD (32-bit) Value" + "Int64" = "QWORD (64-bit) Value" + "String[]" = "Multi-String Value" + } + + $currentType = $typeTable[$res] + if ($res -ne [String[]]) { + @{ + Id = $id + Task = $task + Status = "False" + Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'" + } | Write-Output + } + + #check if insecure or weak cipher is inside value + $regValues = $regValue -replace ' ', '' + $weakRulesFound = @() + $insecureRulesFound = @() + foreach($element in $regValues){ + if($listOfWeakCipherSuites.Contains($element)){ + $weakRulesFound += $element + } + if($listOfInsecureCipherSuites.Contains($element)){ + $insecureRulesFound += $element + } + } + #Default status + $status = "Error" + + #Output + $verbInsecure = "rules have" + $verbWeak = "rules have" + if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"} + if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"} + $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules:
" + $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules:
" + + #Preparing message + foreach($member in $weakRulesFound){ + $status = "Warning" + $weakMessage += "$($member)
" + } + foreach($member in $insecureRulesFound){ + $status = "False" + $insecureMessage += "$($member)
" + } + #Combine or shorten message + if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){ + $message = "" + if($weakRulesFound.Count -eq 0){ $weakMessage = "" } + if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" } + + $message = $insecureMessage + $weakMessage + @{ + Id = $id + Task = $task + Status = $status + Message = $message + } | Write-Output + } + + if ($regValue -ne $reference) { + @{ + Id = $id + Task = $task + Status = "True" + Message = "Compliant" + } | Write-Output + } + } + + @{ + Id = $id + Task = $task + Status = "True" + Message = "Compliant" + } | Write-Output +} + + +#endregion + +#region Report Generation + +function Get-IIS10SystemReport { + # Section 1 + Test-IISUniqueSiteAppPool + + # Section 2 + Test-IISPasswordFormatNotClearMachineLevel + Test-IISCredentialsNotStoredMachineLevel + + # Section 3 + Test-IISDeploymentMethodRetail + Test-IISAspNetTracingDisabledMachineLevel + + # Section 4 + Test-IISIsapisNotAllowed + Test-IISCgisNotAllowed + + # Section 5 + Test-IISAdvancedLoggingEnabled + + # Section 6 + Test-IISFtpRequestsEncrypted + Test-IISFtpLogonAttemptRestriction + + # Section 7 + Test-IISSSL2Disabled + Test-IISSSL3Disabled + Test-IISTLSDisabled + Test-IISTLS1_1Disabled + Test-IISTLS1_2Enabled + Test-IISNullCipherDisabled + Test-IISDESCipherDisabled + Test-IISRC4CipherDisabled + Test-IISAES128Disabled + Test-IISAES256Enabled + Test-IISTLSCipherOrder +} + +function Get-IIS10ApplicationHostReport { + $Configuration = (Get-IISServerManager).GetApplicationHostConfiguration() + + # Section 1 + $Configuration | Test-IISDirectoryBrowsing + $Configuration | Test-IISAnonymouseUserIdentity + + # Section 2 + $Configuration | Test-IISGlobalAuthorization + $Configuration | Test-IISAuthenticatedPricipals + $Configuration | Test-IISFormsAuthenticationSSL + $Configuration | Test-IISFormsAuthenticationCookies + $Configuration | Test-IISFormsAuthenticationProtection + $Configuration | Test-IISPasswordFormatNotClear + $Configuration | Test-IISCredentialsNotStored + + # Section 3 + $Configuration | Test-IISDebugOff + $Configuration | Test-IISCustomErrorsNotOff + $Configuration | Test-IISHttpErrorsHidden + $Configuration | Test-IISAspNetTracingDisabled + $Configuration | Test-IISCookielessSessionState + + # Section 4 + $Configuration | Test-IISMaxAllowedContentLength + $Configuration | Test-IISMaxURLRequestFilter + $Configuration | Test-IISMaxQueryStringRequestFilter + $Configuration | Test-IISNonASCIICharURLForbidden + $Configuration | Test-IISRejectDoubleEncodedRequests + $Configuration | Test-IISHTTPTraceMethodeDisabled + $Configuration | Test-IISBlockUnlistedFileExtensions + $Configuration | Test-IISHandlerDenyWrite + + # Section 5 + + # Section 6 + + # Section 7 + $Configuration | Test-IISHSTSHeaderSet + +} + +function Get-VirtualPathAudit { + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Configuration] + $Configuration + ) + + process { + # Section 1 + $Configuration | Test-IISDirectoryBrowsing + $Configuration | Test-IISAnonymouseUserIdentity + + # Section 2 + $Configuration | Test-IISGlobalAuthorization + $Configuration | Test-IISAuthenticatedPricipals + $Configuration | Test-IISFormsAuthenticationSSL + $Configuration | Test-IISFormsAuthenticationCookies + $Configuration | Test-IISFormsAuthenticationProtection + $Configuration | Test-IISPasswordFormatNotClear + $Configuration | Test-IISCredentialsNotStored + + # Section 3 + $Configuration | Test-IISDebugOff + $Configuration | Test-IISCustomErrorsNotOff + $Configuration | Test-IISHttpErrorsHidden + $Configuration | Test-IISAspNetTracingDisabled + $Configuration | Test-IISCookielessSessionState + $Configuration | Test-IISCookiesHttpOnly + + # Section 4 + $Configuration | Test-IISMaxAllowedContentLength + $Configuration | Test-IISMaxURLRequestFilter + $Configuration | Test-IISMaxQueryStringRequestFilter + $Configuration | Test-IISNonASCIICharURLForbidden + $Configuration | Test-IISRejectDoubleEncodedRequests + $Configuration | Test-IISHTTPTraceMethodeDisabled + $Configuration | Test-IISBlockUnlistedFileExtensions + $Configuration | Test-IISHandlerDenyWrite + + # Section 5 + + # Section 6 + + # Section 7 + $Configuration | Test-IISHSTSHeaderSet + } +} + +function Get-SiteAudit { + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Site] + $Site + ) + + process { + $AppPools = $Site.Applications.ApplicationPoolName | Sort-Object | Get-Unique | Get-IISAppPool + + # Section 1 + $Site | Test-IISVirtualDirPartition + $Site | Test-IISHostHeaders + $AppPools | Test-IISAppPoolIdentity + + # Section 2 + $Site | Test-IISTLSForBasicAuth + + # Section 3 + $Site | Test-IISMachineKeyValidation + $Site | Test-IISMachineKeyValidationV45 + $Site | Test-IISDotNetTrustLevel + + # Section 4 + $Site | Test-IISDynamicIPRestrictionEnabled + + # Section 5 + $Site | Test-IISLogFileLocation + $Site | Test-IISETWLoggingEnabled + + # Section 6 + + + # Section 7 + + } +} + +function Get-IISHostInformation { + $infos = Get-CimInstance Win32_OperatingSystem + $disk = Get-CimInstance Win32_LogicalDisk | Where-Object -Property DeviceID -eq "C:" + + $IISinstallPath = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\InetStp").Installpath + + return [ordered]@{ + "Hostname" = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName + "Operating System" = $infos.Caption + "Build Number" = $infos.BuildNumber + "IIS Version" = (Get-ItemProperty -Path ("$IISinstallPath\w3wp.exe")).VersionInfo.ProductVersion + "Free physical memory (GB)" = "{0:N3}" -f ($infos.FreePhysicalMemory / 1MB) + "Free disk space (GB)" = "{0:N1}" -f ($disk.FreeSpace / 1GB) + } +} + +[Report] @{ + Title = "IIS 10 Benchmarks" + ModuleName = "ATAPAuditor" + BasedOn = "CIS Microsoft IIS 10 Benchmark, Version: 1.1.0, Date: 12-11-2018" + HostInformation = Get-IISHostInformation + Sections = @( + [ReportSection] @{ + Title = "System Report" + AuditInfos = Get-IIS10SystemReport + } + [ReportSection] @{ + Title = "ApplicationHost" + AuditInfos = Get-IIS10ApplicationHostReport + } + foreach ($Site in Get-IISSite) { + $VirtualPaths = $Site | Get-IISSiteVirtualPaths -AllVirtualDirectories + + [ReportSection] @{ + Title = "Full site report for: $($Site.Name)" + AuditInfos = $Site | Get-SiteAudit + SubSections = @( + foreach ($VirtualPath in $VirtualPaths) { + $Configuration = (Get-IISServerManager).GetWebConfiguration($Site.Name, $VirtualPath) + + [ReportSection]@{ + Title = "Report for: $VirtualPath" + AuditInfos = $Configuration | Get-VirtualPathAudit + } + } + ) + } + } + ) +} +#endregion diff --git a/ATAPAuditor/Reports/Microsoft Internet Explorer 11.ps1 b/ATAPAuditor/Reports/Microsoft Internet Explorer 11.ps1 new file mode 100644 index 0000000..3866b12 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Internet Explorer 11.ps1 @@ -0,0 +1,41 @@ +[Report] @{ + Title = 'Internet Explorer 11 Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'CIS Microsoft Internet Explorer 11 Benchmark, Version: 1.0.0, Date: 2014-12-01' + 'Microsoft Windows 10 Windows Server v2004 Security Baseline FINAL, Version: 2004, Date: 2020-08-04' + 'DISA Microsoft Internet Explorer 11 Security Technical Implementation Guide, Version: V1R16, Date: 2018-06-08' + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Recommendations" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Internet Explorer 11-CIS-1.0.0#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "MS Recommendations" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Internet Explorer 11-MS-2004#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Internet Explorer 11-DISA-V1R16#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Office.ps1 b/ATAPAuditor/Reports/Microsoft Office.ps1 new file mode 100644 index 0000000..5084a8e --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Office.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = 'Microsoft Office Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'CIS Microsoft Office Enterprise Benchmark, Version: 1.2.0, Date: 2024-07-19' + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Office Enterprise-CIS-1.2.0#RegistrySettings" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 b/ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 new file mode 100644 index 0000000..db3aab4 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft SQL Server 2016.ps1 @@ -0,0 +1,2754 @@ +[CmdletBinding(DefaultParameterSetName = "Default")] +param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] + $SqlInstance, + + [string] + $MachineName = $env:COMPUTERNAME, + + [Parameter(Mandatory = $true, ParameterSetName = "ByAuditInfo")] + [Hashtable[]] + $InstanceAudits +) + +if (get-module -ListAvailable SQLPS) { + Import-Module SQLPS -Force +} +elseif (get-module -ListAvailable SQLServer) { + Import-Module SQLServer -Force +} + +# CIS Microsoft SQL Server 2016 Benchmark +# v1.0.0 - 08-11-2017 +# +# + + +# +# +# CIS Microsoft SQL Server 2016 Benchmark - Audit section +#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# + + +# +# 1 Installation, Updates and Patches +# +# This section contains recommendations related to installing and patching SQL Server. +# + + +#region 2 Surface Area Reduction +# +# SQL Server offers various configuration options, some of them can be controlled by the +# sp_configure stored procedure. This section contains the listing of the corresponding recommendations. + +function Test-SQLAdHocDistributedQueriesDisabled { + <# +.Synopsis + Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.1 - Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'. + + Enabling Ad Hoc Distributed Queries allows users to query data and execute statements on external data sources. This functionality should be disabled. + + This feature can be used to remotely access and exploit vulnerabilities on remote SQL Server instances and to run unsafe Visual Basic for Application functions. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.1") + $obj | Add-Member NoteProperty Task("Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ad Hoc Distributed Queries';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + ",`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLClrEnabled { + <# +.Synopsis + Ensure 'CLR Enabled' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.2 - Ensure 'CLR Enabled' Server Configuration Option is set to '0'. + + The clr enabled option specifies whether user assemblies can be run by SQL Server. + + Enabling use of CLR assemblies widens the attack surface of SQL Server and puts it at risk from both inadvertent and malicious assemblies. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.2") + $obj | Add-Member NoteProperty Task("Ensure 'CLR Enabled' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'clr enabled';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLCrossDBOwnershipDisabled { + <# +.Synopsis + Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.3 - Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0' + + The cross db ownership chaining option controls cross-database ownership chaining + + across all databases at the instance (or server) level. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.3") + $obj | Add-Member NoteProperty Task("Ensure 'Cross DB Ownership Chaining' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'cross db ownership chaining';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLDatabaseMailXPsDisabled { + <# +.Synopsis + Ensure 'Database Mail XPs' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.4 - Ensure 'Database Mail XPs' Server Configuration Option is set to '0'. + + The Database Mail XPs option controls the ability to generate and transmit email messages from SQL Server. + + Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.4") + $obj | Add-Member NoteProperty Task("Ensure 'Database Mail XPs' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Database Mail XPs';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj +} + +function Test-SQLOleAutomationProceduresDisabled { + <# +.Synopsis + Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.5 - Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'. + + The Ole Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server. + + Disabling the Database Mail XPs option reduces the SQL Server surface, eliminates a DOS attack vector and channel to exfiltrate data from the database server to a remote host. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.5") + $obj | Add-Member NoteProperty Task("Ensure 'Ole Automation Procedures' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'Ole Automation Procedures';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLRemoteAccessDisabled { + <# +.Synopsis + Ensure 'Remote Access' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.6 - Ensure 'Remote Access' Server Configuration Option is set to '0'. + + The remote access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server. + + Functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.6") + $obj | Add-Member NoteProperty Task("Ensure 'Remote Access' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote access';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use: " + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLRemoteAdminConnectionsDisabled { + <# +.Synopsis + Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.7 - Ensure 'Remote Admin Connections' Server Configuration Option is set to '0' + + The remote admin connections option controls whether a client application on a remote computer can use the Dedicated Administrator Connection (DAC). + + The Dedicated Administrator Connection (DAC) lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot + problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. In a cluster scenario, the + administrator may not actually be logged on to the same node that is currently hosting the SQL Server instance and thus is considered "remote". Therefore, this setting should usually + be enabled (1) for SQL Server failover clusters; otherwise it should be disabled (0) which is the default. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.7") + $obj | Add-Member NoteProperty Task("Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'remote admin connections' AND SERVERPROPERTY('IsClustered') = 0;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLScanForStartupProcsDisabled { + <# +.Synopsis + Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.8 - Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'. + + The scan for startup procs option, if enabled, causes SQL Server to scan for and automatically run all stored procedures that are set to execute upon service startup. + + Enforcing this control reduces the threat of an entity leveraging these facilities for malicious purposes. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.8") + $obj | Add-Member NoteProperty Task("Ensure 'Scan For Startup Procs' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'scan for startup procs';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLTrustworthyDatabaseOff { + <# +.Synopsis + Ensure 'Trustworthy' Database Property is set to 'Off'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.9 - Ensure 'Trustworthy' Database Property is set to 'Off'. + + The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances. + + Provides protection from malicious CLR assemblies or extended procedures. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.9") + $obj | Add-Member NoteProperty Task("Ensure 'Trustworthy' Database Property is set to 'Off'") + + $query = "SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != 'msdb';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found $sqlResult.name") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLServerProtocolsDisabled { + <# +.Synopsis + Ensure Unnecessary SQL Server Protocols are set to 'Disabled'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.10 - Ensure Unnecessary SQL Server Protocols are set to 'Disabled'. + + SQL Server supports Shared Memory, Named Pipes, and TCP/IP protocols. However, SQL Server should be configured to use the bare minimum required based on the organization's needs. + + Using fewer protocols minimizes the attack surface of SQL Server and, in some cases, can protect it from remote attacks. +#> + [CmdletBinding()] + param( + [string] $SqlInstance = "MSSQLSERVER", + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.10") + $obj | Add-Member NoteProperty Task("Ensure Unnecessary SQL Server Protocols are set to 'Disabled'") + + $protocols = "np", "sm", "tcp" + $smo = 'Microsoft.SqlServer.Management.Smo.' + $wmi = New-Object ($smo + 'Wmi.ManagedComputer') + + try { + $singleWmi = $wmi | Where-Object {$_.Name -eq $machineName} + $foundProtocols = @() + foreach ($protocol in $protocols) { + $uri = "ManagedComputer[@Name='$machineName']/ServerInstance[@Name='$sqlInstance']/ServerProtocol[@Name='$protocol']" + $p = $singleWmi.GetsmoObject($uri) + if ($p.isEnabled) { + $foundProtocols += $p.displayName + } + } + [string]$s = $null + $s = $foundProtocols -join ", " + + if ($foundProtocols.Count -eq 0) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + elseif ($foundProtocols.Count -eq 1) { + $obj | Add-Member NoteProperty Status("Only one Protocol is enabled: " + $s) + $obj | Add-Member NoteProperty Audit("True") + } + elseif ($foundProtocols.Count -eq 2) { + $obj | Add-Member NoteProperty Status("Following protocols are enabled: " + $s) + $obj | Add-Member NoteProperty Audit("Warning") + } + else { + $obj | Add-Member NoteProperty Status("Following protocols are enabled: " + $s) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Mangement.Automation.MethodInvocationException] { + $obj | Add-Member NoteProperty Status("MachineName not found or sqlInstance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLUseNonStandardPorts { + <# +.Synopsis + Ensure SQL Server is configured to use non-standard ports. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.11 - Ensure SQL Server is configured to use non-standard ports. + + The TRUSTWORTHY database option allows database objects to access objects in other databases under certain circumstances. + + Provides protection from malicious CLR assemblies or extended procedures. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.11") + $obj | Add-Member NoteProperty Task("Ensure SQL Server is configured to use non-standard ports") + + $query = "DECLARE @value nvarchar(256); + EXECUTE master.dbo.xp_instance_regread + N'HKEY_LOCAL_MACHINE', + N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib\Tcp\IPAll', + N'TcpPort', + @value OUTPUT, + N'no_output'; + SELECT @value AS TCP_Port WHERE @value = '1433';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("TCP port 1433 in use") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLHideInstanceEnabled { + <# +.Synopsis + Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.12 - Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances. + + Non-clustered SQL Server instances within production environments should be designated as hidden to prevent advertisement by the SQL Server Browser service. + + Designating production SQL Server instances as hidden leads to a more secure installation because they cannot be enumerated. However, clustered instances may break if this option is selected. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.12") + $obj | Add-Member NoteProperty Task("Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances") + + $query = "DECLARE @getValue INT; + EXEC master..xp_instance_regread + @rootkey = N'HKEY_LOCAL_MACHINE', + @key = N'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQLServer\SuperSocketNetLib', + @value_name = N'HideInstance', + @value = @getValue OUTPUT; + SELECT @getValue AS Hide_Instance;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $sqlResult.Hide_Instance -eq 1 ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Instance not hidden") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLSaLoginAccountDisabled { + <# +.Synopsis + Ensure the 'sa' Login Account is set to 'Disabled'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.13 - Ensure the 'sa' Login Account is set to 'Disabled'. + + The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01. + + Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.13") + $obj | Add-Member NoteProperty Task("Ensure the 'sa' Login Account is set to 'Disabled'") + + $query = "SELECT name, is_disabled FROM sys.server_principals WHERE sid = 0x01 AND is_disabled = 0;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("SA Login Account enabled") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLSaLoginAccountRenamed { + <# +.Synopsis + Ensure the 'sa' Login Account has been renamed. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.14 - Ensure the 'sa' Login Account has been renamed. + + The sa account is a widely known and often widely used SQL Server account with sysadmin privileges. This is the original login created during installation and always has the principal_id=1 and sid=0x01. + + It is more difficult to launch password-guessing and brute-force attacks against the sa login if the name is not known. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.14") + $obj | Add-Member NoteProperty Task(" Ensure the 'sa' Login Account has been renamed") + + $query = "SELECT name FROM sys.server_principals WHERE sid = 0x01" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ($sqlResult.name -ne "sa") { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("SA Login Account not renamed") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLXpCommandShellDisabled { + <# +.Synopsis + Ensure 'xp_cmdshell' Server Configuration Option is set to '0'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.15 - Ensure 'xp_cmdshell' Server Configuration Option is set to '0'. + + The xp_cmdshell option controls whether the xp_cmdshell extended stored procedure can be used by an authenticated SQL Server user to execute operating-system command shell commands and return results as rows within the SQL client. + + The xp_cmdshell procedure is commonly used by attackers to read or write data to/from the underlying Operating System of a database server. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.15") + $obj | Add-Member NoteProperty Task("Ensure 'xp_cmdshell' Server Configuration Option is set to '0'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( ($sqlResult.value_configured -eq 0) -and ($sqlResult.value_in_use -eq 0) ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Values do not match, found: `n value_configured: " + $sqlResult.value_configured + "`n value_in_use:" + $sqlResult.value_in_use) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLAutoCloseOff { + <# +.Synopsis + Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.16 - Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases. + + AUTO_CLOSE determines if a given database is closed or not after a connection terminates. If enabled, subsequent connections to the given database will require the database to be + reopened and relevant procedure caches to be rebuilt. + + Because authentication of users for contained databases occurs within the database not at the server\instance level, the database must be opened every time to authenticate a user. + The frequent opening/closing of the database consumes additional server resources and may contribute to a denial of service. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.16") + $obj | Add-Member NoteProperty Task(" Ensure 'AUTO_CLOSE' is set to 'OFF' on contained databases") + + $query = "SELECT name, containment, containment_desc, is_auto_close_on FROM sys.databases WHERE containment <> 0 and is_auto_close_on = 1;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult.name) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("AUTO_CLOSE not set to OFF") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLNoSaAccounnt { + <# +.Synopsis + Ensure no login exists with the name 'sa'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 2 Surface Area Reduction + + 2.17 - Ensure no login exists with the name 'sa'. + + The sa login (e.g. principal) is a widely known and often widely used SQL Server account.Therefore, there should not be a login called sa even when the original sa login (principal_id = 1) has been renamed. + + Enforcing this control reduces the probability of an attacker executing brute force attacks against a well-known principal name. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("2.17") + $obj | Add-Member NoteProperty Task("Ensure no login exists with the name 'sa'") + + $query = "SELECT principal_id, name FROM sys.server_principals WHERE name = 'sa';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult.name) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found login with name 'sa'") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} +#endregion + +#region 3 Authentication and Authorization +# +# This section contains recommendations related to SQL Server's authentication and authorization mechanisms. +# + +function Test-SQLServerAuthentication { + <# +.Synopsis + Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.1 - Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'. + + Uses Windows Authentication to validate attempted connections. + + Windows provides a more robust authentication mechanism than SQL Server authentication. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.1") + $obj | Add-Member NoteProperty Task("Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'") + + $query = "SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as [login_mode];" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $sqlResult.login_mode -eq 1 ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + elseif ( $sqlResult.login_mode -eq 0 ) { + $obj | Add-Member NoteProperty Status("Login mode set to Mixed Mode Authentication") + $obj | Add-Member NoteProperty Audit("False") + } + else { + $obj | Add-Member NoteProperty Status("An unknown error occured") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLGuestPermissionOnDatabases { + <# +.Synopsis + Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases excluding the master, msdb and tempdb. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.2 - Ensure CONNECT permissions on the 'guest' user is Revoked within all SQL Server databases excluding the master, msdb and tempdb. + + Remove the right of the guest user to connect to SQL Server databases, except for master, msdb, and tempdb. + + A login assumes the identity of the guest user when a login has access to SQL Server but does not have access to a database through its own account and the database has a guest + user account. Revoking the CONNECT permission for the guest user will ensure that a login is not able to access database information without explicit access to do so. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $databases = Get-SqlDatabase -ServerInstance $instanceName -ErrorAction Stop | Select-Object -ExpandProperty name + } + else { + $databases = Get-SqlDatabase -ServerInstance $MachineName -ErrorAction Stop | Select-Object -ExpandProperty name + } + + $databases = {$databases}.Invoke() + if ($databases.Remove("master")) { + } + if ($databases.Remove("msdb")) { + } + if ($databases.Remove("tempdb")) { + } + $index = 1 + + foreach ($database in $databases) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.2.$index") + $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") + $query = "USE [$database]; " + ` + "SELECT DB_NAME() AS DatabaseName, 'guest' AS Database_User, [permission_name], [state_desc] + FROM sys.database_permissions + WHERE [grantee_principal_id] = DATABASE_PRINCIPAL_ID('guest') + AND [state_desc] LIKE 'GRANT%' + AND [permission_name] = 'CONNECT' + AND DB_NAME() NOT IN ('master','tempdb','msdb');" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Got $sqlResult") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj + + $index++ + } + } + catch { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.2") + $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") + $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } +} + +function Test-SQLDropOrphanedUsers { + <# +.Synopsis + Ensure 'Orphaned Users' are Dropped From SQL Server Databases. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.3 - Ensure 'Orphaned Users' are Dropped From SQL Server Databases. + + A database user for which the corresponding SQL Server login is undefined or is incorrectly defined on a server instance cannot log in to the instance and is referred to as orphaned and should be removed. + + Orphan users should be removed to avoid potential misuse of those broken users in any way. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $databases = Get-SqlDatabase -ServerInstance $instanceName -ErrorAction Stop | Select-Object -ExpandProperty name + } + else { + $databases = Get-SqlDatabase -ServerInstance $MachineName -ErrorAction Stop | Select-Object -ExpandProperty name + } + + $index = 1 + + foreach ($database in $databases) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.3.$index") + $obj | Add-Member NoteProperty Task("Ensure 'Orphaned Users' are dropped for database $database") + + $query = "USE [$database]; + GO + EXEC sp_change_users_login @Action='Report';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Got $sqlResult") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj + + $index++ + } + } + catch { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.3") + $obj | Add-Member NoteProperty Task("Ensure 'Orphaned Users' are dropped for database $database") + $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } +} + +function Test-SQLAuthenticationDisabled { + <# +.Synopsis + Ensure SQL Authentication is not used in contained databases. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.4 - Ensure SQL Authentication is not used in contained databases. + + Contained databases do not enforce password complexity rules for SQL Authenticated users. + + The absence of an enforced password policy may increase the likelihood of a weak credential being established in a contained database. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $databases = Get-SqlDatabase -ServerInstance $instanceName -ErrorAction Stop | Select-Object -ExpandProperty name + } + else { + $databases = Get-SqlDatabase -ServerInstance $MachineName -ErrorAction Stop | Select-Object -ExpandProperty name + } + + if ($databases.Count -eq 0) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.1") + $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") + $obj | Add-Member NoteProperty Status("No databases found") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } + + $index = 1 + + foreach ($database in $databases) { + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.4.$index") + $obj | Add-Member NoteProperty Task("Ensure SQL Authentication is not used for database $database") + + $query = "USE [$database]; + GO + SELECT name AS DBUser + FROM sys.database_principals + WHERE name NOT IN ('dbo','Information_Schema','sys','guest') + AND type IN ('U','S','G') + AND authentication_type = 2; + GO" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Got $sqlResult") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj + + $index++ + } + } + catch { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.4") + $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") + $obj | Add-Member NoteProperty Status("Ensure SQL Authentication is not used for database $database") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } +} + +function Test-SQLServerServiceAccountIsNotAnAdministrator { + <# +.Synopsis + Ensure the SQL Server’s MSSQL Service Account is Not an Administrator +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.5 - Ensure the SQL Server’s MSSQL Service Account is Not an Administrator + + The service account and/or service SID used by the MSSQLSERVER service for a default instance or MSSQL$ service for a named instance should not be a member of the Windows Administrator group either directly or indirectly (via a group). This also means that the account known as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the MSSQL service as this account has higher privileges than the SQL Server service requires. + + Following the principle of least privilege, the service account should have no more privileges than required to do its job. For SQL Server services, the SQL Server Setup will assign the required permissions directly to the service SID. No additional permissions or privileges should be necessary. +#> + [CmdletBinding()] + param( + [string] $MachineName = $env:COMPUTERNAME + ) + $obj = New-Object psobject + $obj | Add-Member NoteProperty ID("3.5") + $obj | Add-Member NoteProperty Task("Ensure the SQL Server’s MSSQL Service Account is Not an Administrator") + + + $smo = 'Microsoft.SqlServer.Management.Smo.' + $wmi = New-Object ($smo + 'Wmi.ManagedComputer') + $singleWmi = $wmi | Where-Object {$_.Name -eq $machineName} + $sqlServer = $singleWmi.Services | Where-Object {$_.Type -eq "SqlServer"} + $serviceAccountNames = @() + foreach ($sqlS in $sqlServer) { + $serviceAccountNames += $sqlS.ServiceAccount.Substring($sqlS.serviceAccount.IndexOf("\") + 1 ) + } + + $ADSIComputer = [ADSI]("WinNT://$machineName,computer") + try { + $group = $ADSIComputer.psbase.children.find('Administrators', 'Group') + } + catch { + try { + $group = $ADSIComputer.psbase.children.find('Administratoren', 'Group') + } + catch [System.Mangement.Automation.MethodInvocationException] { + $obj | Add-Member NoteProperty Status("MachineName not found") + $obj | Add-Member NoteProperty Audit("Warning") + return Write-Output $obj + } + } + + $members = $group.psbase.invoke("members") | ForEach-Object { + $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) + } + $admins = @() + + foreach ($member in $members) { + try { + # Try if $member is a AD group and get all members of this group including all nested groups + $admins += (Get-ADGroupMember $member -Recursive | Select-Object -ExpandProperty SamAccountName) + } + catch { + # TODO catch unterscheiden nach nicht gefunden oder active directory Fehler + # If it is not a AD group, it has to be a local account, so add it (we assume local groups are not used inside the company) + $admins += $member + } + } + foreach ($serviceAccountName in $serviceAccountNames) { + foreach ($admin in $admins) { + if ($admin -eq $serviceAccountName) { + $sqlAdmins += $serviceAccountName + } + } + } + if ($null -eq $sqlAdmins) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) + $obj | Add-Member NoteProperty Audit("False") + } + Write-Output $obj +} + +function Test-SQLAgentServiceAccountIsNotAnAdministrator { + <# +.Synopsis + Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.6 - Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator + + The service account and/or service SID used by the SQLSERVERAGENT service for a default instance or SQLAGENT$ service for a named instance should not be a member of the Windows Administrator group either directly or indirectly (via a group). This also means that the account known as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the SQLAGENT service as this account has higher privileges than the SQL Server service requires. + + Following the principle of least privilege, the service account should have no more privileges than required to do its job. For SQL Server services, the SQL Server Setup will assign the required permissions directly to the service SID. No additional permissions or privileges should be necessary. +#> + [CmdletBinding()] + param( + [string] $MachineName = $env:COMPUTERNAME + ) + $obj = New-Object psobject + $obj | Add-Member NoteProperty ID("3.6") + $obj | Add-Member NoteProperty Task("Ensure the SQL Server’s SQLAgent Service Account is Not an Administrator") + + $smo = 'Microsoft.SqlServer.Management.Smo.' + $wmi = New-Object ($smo + 'Wmi.ManagedComputer') + $singleWmi = $wmi | Where-Object {$_.Name -eq $machineName} + $sqlAgent = $singleWmi.Services | Where-Object {$_.Type -eq "SqlAgent"} + $sqlAgentNames = @() + foreach ($sqlS in $sqlAgent) { + $sqlAgentNames += $sqlS.ServiceAccount.Substring($sqlS.serviceAccount.IndexOf("\") + 1 ) + } + + $ADSIComputer = [ADSI]("WinNT://$machineName,computer") + + try { + $group = $ADSIComputer.psbase.children.find('Administrators', 'Group') + } + catch { + try { + $group = $ADSIComputer.psbase.children.find('Administratoren', 'Group') + } + catch [System.Mangement.Automation.MethodInvocationException] { + $obj | Add-Member NoteProperty Status("MachineName not found") + $obj | Add-Member NoteProperty Audit("Warning") + return Write-Output $obj + } + } + + $members = $group.psbase.invoke("members") | ForEach-Object { + $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) + } + $admins = @() + + foreach ($member in $members) { + try { + # Try if $member is a AD group and get all members of this group including all nested groups + $admins += (Get-ADGroupMember $member -Recursive | Select-Object -ExpandProperty SamAccountName) + } + catch { + # TODO catch unterscheiden nach nicht gefunden oder active directory Fehler + # If it is not a AD group, it has to be a local account, so add it (we assume local groups are not used inside the company) + $admins += $member + } + } + foreach ($sqlAgentName in $sqlAgentNames) { + foreach ($admin in $admins) { + if ($admin -eq $sqlAgentName) { + $sqlAdmins += $sqlAgentName + } + } + } + if ($null -eq $sqlAdmins) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) + $obj | Add-Member NoteProperty Audit("False") + } + Write-Output $obj +} + +function Test-SQLFullTextServiceAccountIsNotAnAdministrator { + <# +.Synopsis + Ensure the SQL Server’s Full-Text Service Account is Not an Administrator +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.7 - Ensure the SQL Server’s Full-Text Service Account is Not an Administrator + + The service account and/or service SID used by the MSSQLFDLauncher service for a default instance or MSSQLFDLauncher$ service for a named instance should not be a member of the Windows Administrator group either directly or indirectly (via a group). This also means that the account known as LocalSystem (aka NT AUTHORITY\SYSTEM) should not be used for the Full-Text service as this account has higher privileges than the SQL Server service requires. + + Following the principle of least privilege, the service account should have no more privileges than required to do its job. For SQL Server services, the SQL Server Setup will assign the required permissions directly to the service SID. No additional permissions or privileges should be necessary. +#> + [CmdletBinding()] + param( + [string] $MachineName = $env:COMPUTERNAME + ) + $obj = New-Object psobject + $obj | Add-Member NoteProperty ID("3.7") + $obj | Add-Member NoteProperty Task("Ensure the SQL Server’s Full-Text Service Account is Not an Administrator") + + $smo = 'Microsoft.SqlServer.Management.Smo.' + $wmi = New-Object ($smo + 'Wmi.ManagedComputer') + $singleWmi = $wmi | Where-Object {$_.Name -eq $machineName} + $sqlServices = $singleWmi.Services | Where-Object {$_.Type -eq "9"} + $sqlServiceNames = @() + foreach ($sqlS in $sqlServices) { + $sqlServiceNames += $sqlS.ServiceAccount.Substring($sqlS.serviceAccount.IndexOf("\") + 1 ) + } + + $ADSIComputer = [ADSI]("WinNT://$machineName,computer") + + try { + $group = $ADSIComputer.psbase.children.find('Administrators', 'Group') + } + catch { + try { + $group = $ADSIComputer.psbase.children.find('Administratoren', 'Group') + } + catch [System.Mangement.Automation.MethodInvocationException] { + $obj | Add-Member NoteProperty Status("MachineName not found") + $obj | Add-Member NoteProperty Audit("Warning") + return Write-Output $obj + } + } + + $members = $group.psbase.invoke("members") | ForEach-Object { + $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) + } + $admins = @() + + foreach ($member in $members) { + try { + # Try if $member is a AD group and get all members of this group including all nested groups + $admins += (Get-ADGroupMember $member -Recursive | Select-Object -ExpandProperty SamAccountName) + } + catch { + # TODO catch unterscheiden nach nicht gefunden oder active directory Fehler + # If it is not a AD group, it has to be a local account, so add it (we assume local groups are not used inside the company) + $admins += $member + } + } + foreach ($sqlServiceName in $sqlServiceNames) { + foreach ($admin in $admins) { + if ($admin -eq $sqlServiceName) { + $sqlAdmins += $sqlServiceName + } + } + } + if ($null -eq $sqlAdmins) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Following service accounts are administrator: " + $sqlAdmins) + $obj | Add-Member NoteProperty Audit("False") + } + Write-Output $obj +} + +function Test-SQLPermissionsForRolePublic { + <# +.Synopsis + Ensure only the default permissions specified by Microsoft are granted to the public server role. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.8 - Ensure only the default permissions specified by Microsoft are granted to the public server role. + + public is a special fixed server role containing all logins. Unlike other fixed server roles, permissions can be changed for the public role. In keeping with the principle of least + privileges, the public server role should not be used to grant permissions at the server scope as these would be inherited by all users. + + Every SQL Server login belongs to the public role and cannot be removed from this role. Therefore, any permissions granted to this role will be available to all logins unless they + have been explicitly denied to specific logins or user-defined server roles. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.8") + $obj | Add-Member NoteProperty Task("Ensure only the default permissions specified by Microsoft are granted to the public server role") + + $query = "SELECT * + FROM master.sys.server_permissions + WHERE (grantee_principal_id = SUSER_SID(N'public') and state_desc LIKE + 'GRANT%') + AND NOT (state_desc = 'GRANT' and [permission_name] = 'VIEW ANY DATABASE' + and class_desc = 'SERVER') + AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and + class_desc = 'ENDPOINT' and major_id = 2) + AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and + class_desc = 'ENDPOINT' and major_id = 3) + AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and + class_desc = 'ENDPOINT' and major_id = 4) + AND NOT (state_desc = 'GRANT' and [permission_name] = 'CONNECT' and + class_desc = 'ENDPOINT' and major_id = 5);" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found Permission:" + $sqlResult.permission_name) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLWindowsBuiltinNoSqlLogin { + <# +.Synopsis + Ensure Windows BUILTIN groups are not SQL Logins. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.9 - Ensure Windows BUILTIN groups are not SQL Logins. + + Prior to SQL Server 2008, the BUILTIN\Administrators group was added a SQL Server login with sysadmin privileges during installation by default. Best practices promote + creating an Active Directory level group containing approved DBA staff accounts and using this controlled AD group as the login with sysadmin privileges. The AD group should be + specified during SQL Server installation and the BUILTIN\Administrators group would therefore have no need to be a login. + + The BUILTIN groups (Administrators, Everyone, Authenticated Users, Guests, etc.) generally contain very broad memberships which would not meet the best practice of ensuring only + necessary users have been granted access to a SQL Server instance. These groups should not be used for any level of access into a SQL Server Database Engine instance. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.9") + $obj | Add-Member NoteProperty Task("Ensure Windows BUILTIN groups are not SQL Logins") + + $query = "SELECT pr.[name], pe.[permission_name], pe.[state_desc] + FROM sys.server_principals pr + JOIN sys.server_permissions pe + ON pr.principal_id = pe.grantee_principal_id + WHERE pr.name like 'BUILTIN%';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found Account(s):" + $sqlResult.name) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLWindowsLocalGroupsNoSqlLogin { + <# +.Synopsis + Ensure Windows local groups are not SQL Logins. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.10 - Ensure Windows local groups are not SQL Logins. + + Local Windows groups should not be used as logins for SQL Server instances. + + Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local + Windows groups and thereby give themselves or others access to the SQL Server instance. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.10") + $obj | Add-Member NoteProperty Task("Ensure Windows local groups are not SQL Logins") + + $query = "USE [master] + GO + SELECT pr.[name] AS LocalGroupName, pe.[permission_name], pe.[state_desc] + FROM sys.server_principals pr + JOIN sys.server_permissions pe + ON pr.[principal_id] = pe.[grantee_principal_id] + WHERE pr.[type_desc] = 'WINDOWS_GROUP' + AND pr.[name] like CAST(SERVERPROPERTY('MachineName') AS nvarchar) + '%';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found Group(s):" + $sqlResult.LocalGroupName) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLPublicRoleMsdbDatabase { + <# +.Synopsis + Ensure the public role in the msdb database is not granted access to SQL Agent proxies. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 3 Authentication and Authorization + + 3.11 - Ensure the public role in the msdb database is not granted access to SQL Agent proxies. + + Local Windows groups should not be used as logins for SQL Server instances. + + Allowing local Windows groups as SQL Logins provides a loophole whereby anyone with OS level administrator rights (and no SQL Server rights) could add users to the local + Windows groups and thereby give themselves or others access to the SQL Server instance. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("3.11") + $obj | Add-Member NoteProperty Task("Ensure the public role in the msdb database is not granted access to SQL Agent proxies") + + $query = "USE [msdb] + GO + SELECT sp.name AS proxyname + FROM dbo.sysproxylogin spl + JOIN sys.database_principals dp + ON dp.sid = spl.sid + JOIN sysproxies sp + ON sp.proxy_id = spl.proxy_id + WHERE principal_id = USER_ID('public'); + GO" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found:" + $sqlResult.proxyname) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} +#endregion + +#region 4 Password Policies +# +# This section contains recommendations related to SQL Server's password policies. +# + +function Test-SQLMustChangeOptionIsOn { + <# +.Synopsis + Ensure the public role in the msdb database is not granted access to SQL Agent proxies. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 4 Password Policies + + 4.1 - Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins. + + Whenever this option is set to ON, SQL Server will prompt for an updated password the first time the new or altered login is used. + + Enforcing a password change after a reset or new login creation will prevent the account administrators or anyone accessing the initial password from misuse of the SQL login created without being noticed. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("4.1") + $obj | Add-Member NoteProperty Task("Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated Logins") + + $query = "SELECT name, create_date + FROM sys.sql_logins" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlLogins = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlLogins = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + $mustChangeLogins = @() + foreach ($sqlLogin in $sqlLogins) { + $loginName = $sqlLogin.name + $query2 = "SELECT LOGINPROPERTY('$loginName', 'PasswordLastSetTime') AS 'PasswordLastSetTime'" + + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $SqlInstance -ne "MSSQLSERVER") { + $loginProperty = Invoke-Sqlcmd -Query $query2 -ServerInstance $instanceName -ErrorAction Stop + } + else { + $loginProperty = Invoke-Sqlcmd -Query $query2 -ServerInstance $MachineName -ErrorAction Stop + } + + if ((Get-Date $sqlLogin.create_date) -gt (Get-Date $loginProperty.PasswordLastSetTime)) { + $mustChangeLogins += $sqlLogin + } + } + if ($mustChangeLogins.Count -gt 0) { + $obj | Add-Member NoteProperty Status("Following Logins Must Change their password: " + $mustChangeLogins.name) + $obj | Add-Member NoteProperty Audit("False") + + } + else { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj +} + +function Test-SQLCheckExpirationOptionOn { + <# +.Synopsis + Ensure the public role in the msdb database is not granted access to SQL Agent proxies. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 4 Password Policies + + 4.2 - Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role. + + Applies the same password expiration policy used in Windows to passwords used inside SQL Server. + + Ensuring SQL logins comply with the secure password policy applied by the Windows Server Benchmark will ensure the passwords for SQL logins with sysadmin privileges are + changed on a frequent basis to help prevent compromise via a brute force attack. CONTROL SERVER is an equivalent permission to sysadmin and logins with that permission should + also be required to have expiring passwords. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("4.2") + $obj | Add-Member NoteProperty Task("Ensure 'CHECK_EXPIRATION' Option is set to 'ON' for All SQL Authenticated Logins Within the Sysadmin Role") + + $query = "SELECT l.[name], 'sysadmin membership' AS 'Access_Method' + FROM sys.sql_logins AS l + WHERE IS_SRVROLEMEMBER('sysadmin',name) = 1 + AND l.is_expiration_checked <> 1 + UNION ALL + SELECT l.[name], 'CONTROL SERVER' AS 'Access_Method' + FROM sys.sql_logins AS l + JOIN sys.server_permissions AS p + ON l.principal_id = p.grantee_principal_id + WHERE p.type = 'CL' AND p.state IN ('G', 'W') + AND l.is_expiration_checked <> 1;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + [string]$s = $null + $s = $sqlResult -join ", " + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found missmatching account(s): " + $s.name) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLCheckPolicyOptionOn { + <# +.Synopsis + Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins. +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 4 Password Policies + + 4.3 - Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins. + + Applies the same password complexity policy used in Windows to passwords used inside SQL Server. + + Ensure SQL authenticated login passwords comply with the secure password policy applied by the Windows Server Benchmark so that they cannot be easily compromised via brute + force attack. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("4.3") + $obj | Add-Member NoteProperty Task("Ensure 'CHECK_POLICY' Option is set to 'ON' for All SQL Authenticated Logins") + + $query = "SELECT name, is_disabled + FROM sys.sql_logins + WHERE is_policy_checked = 0;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Found missmatching account(s):" + $sqlResult.name) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} +#endregion + +#region 5 Auditing and Logging +# +#This section contains recommendations related to SQL Server's audit and logging mechanisms. +# + +function Test-SQLMaximumNumberOfErrorLogFiles { + <# + .Synopsis + Ensure 'Maximum number of error log files' is set to greater than or equal to '12' + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 5 Auditing and Logging + + 5.1 Ensure 'Maximum number of error log files' is set to greater than or equal to '12' + + SQL Server error log files must be protected from loss. The log files must be backed up before they are overwritten. Retaining more error logs helps prevent loss from frequent recycling before backups can occur. + + The SQL Server error log contains important information about major server events and login attempt information as well. + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("5.1") + $obj | Add-Member NoteProperty Task("Ensure 'Maximum number of error log files' is set to greater than or equal to '12'") + + $query = "DECLARE @NumErrorLogs int; + EXEC master.sys.xp_instance_regread + N'HKEY_LOCAL_MACHINE', + N'Software\Microsoft\MSSQLServer\MSSQLServer', + N'NumErrorLogs', @NumErrorLogs OUTPUT; + SELECT ISNULL(@NumErrorLogs, -1) AS [NumberOfLogFiles];" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + $numberOfLogFiles = $sqlResult.NumberOfLogFiles + + if ($numberOfLogFiles -ge 12) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Maximum number of error log files is set to $numberOfLogFiles") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLDefaultTraceEnabled { + <# + .Synopsis + Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 5 Auditing and Logging + + 5.2 Ensure 'Default Trace Enabled' Server Configuration Option is set to '1' + + The default trace provides audit logging of database activity including account creations, privilege elevation and execution of DBCC commands. + + Default trace provides valuable audit information regarding security-related activities on the server. + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("5.2") + $obj | Add-Member NoteProperty Task("Ensure 'Default Trace Enabled' Server Configuration Option is set to '1'") + + $query = "SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use + FROM sys.configurations + WHERE name = 'default trace enabled';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if (($sqlResult.value_configured -eq 1) -and ($sqlResult.value_in_use -eq 1)) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Maximum number of error log files too high") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLLoginAuditingIsSetToFailedLogins { + <# + .Synopsis + Ensure 'Login Auditing' is set to 'failed logins' + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 5 Auditing and Logging + + 5.3 Ensure 'Login Auditing' is set to 'failed logins' + + This setting will record failed authentication attempts for SQL Server logins to the SQL Server Errorlog. This is the default setting for SQL Server. + Default trace provides valuable audit information regarding security-related activities on the server. + Historically, this setting has been available in all versions and editions of SQL Server. Prior to the availability of SQL Server Audit, this was the only provided mechanism for capturing logins (successful or failed). + + Capturing failed logins provides key information that can be used to detect\confirm password guessing attacks. Capturing successful login attempts can be used to confirm server access during forensic investigations, but using this audit level setting to also capture successful logins creates excessive noise in the SQL Server Errorlog which can hamper a DBA trying to troubleshoot problems. Elsewhere in this benchmark, we recommend using the newer lightweight SQL Server Audit feature to capture both successful and failed logins. + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("5.3") + $obj | Add-Member NoteProperty Task("Ensure 'Login Auditing' is set to 'failed logins'") + + $query = "EXEC xp_loginconfig 'audit level';" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ($sqlResult.config_value -eq "failure") { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("config_value is set to: " + $sqlResult.config_value) + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} + +function Test-SQLLoginAuditingIsSetToFailedAndSuccessfulLogins { + <# + .Synopsis + Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 5 Auditing and Logging + + 5.4 Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins' + + SQL Server Audit is capable of capturing both failed and successful logins and writing them to one of three places: the application event log, the security event log, or the file system. We will use it to capture any login attempt to SQL Server, as well as any attempts to change audit policy. This will also serve to be a second source to record failed login attempts. + + By utilizing Audit instead of the traditional setting under the Security tab to capture successful logins, we reduce the noise in the ERRORLOG. This keeps it smaller and easier to read for DBAs who are attempting to troubleshoot issues with the SQL Server. Also, the Audit object can write to the security event log, though this requires operating system configuration. This gives an additional option for where to store login events, especially in conjunction with an SIEM. + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("5.4") + $obj | Add-Member NoteProperty Task("Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins'") + + $query = "SELECT + S.name AS 'Audit Name' + , CASE S.is_state_enabled + WHEN 1 THEN 'Y' + WHEN 0 THEN 'N' END AS 'Audit Enabled' + , S.type_desc AS 'Write Location' + , SA.name AS 'Audit Specification Name' + , CASE SA.is_state_enabled + WHEN 1 THEN 'Y' + WHEN 0 THEN 'N' END AS 'Audit Specification Enabled' + , SAD.audit_action_name + , SAD.audited_result + FROM sys.server_audit_specification_details AS SAD + JOIN sys.server_audit_specifications AS SA + ON SAD.server_specification_id = SA.server_specification_id + JOIN sys.server_audits AS S + ON SA.audit_guid = S.audit_guid + WHERE SAD.audit_action_id IN ('CNAU', 'LGFL', 'LGSD'); + GO" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResults = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResults = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + $auditSpecifications = @() + foreach ($sqlResult in $sqlResults) { + switch ($sqlResult.audit_action_name) { + "AUDIT_CHANGE_GROUP" { + $auditSpecifications += ($sqlResult) + } + "FAILED_LOGIN_GROUP" { + $auditSpecifications += ($sqlResult) + } + "SUCCESSFUL_LOGIN_GROUP" { + $auditSpecifications += ($sqlResult) + } + Default {} + } + } + $foundSpecifications = @() + foreach ($auditSpecification in $auditSpecifications) { + if ((($auditspecification | Select-Object -ExpandProperty "Audit Enabled") -ne "Y") -or ` + (($auditspecification | Select-Object -ExpandProperty "Audit Specification Enabled") -ne "Y") -or ` + ($auditspecification.audited_result -ne "SUCCESS AND FAILURE")) { + $foundSPecifications += $auditSpecification.audit_action_name + } + } + if ($null -eq $sqlResult) { + $obj | Add-Member NoteProperty Status("TrackLogins file not found") + $obj | Add-Member NoteProperty Audit("Warning") + } + else { + if ($foundSpecifications.count -eq 0) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + [string]$s = $null + $s = $foundSpecifications -join ", " + $obj | Add-Member NoteProperty Status("Found following specifications: $s") + $obj | Add-Member NoteProperty Audit("False") + } + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj +} +#endregion + +#region 6 Application Development +# +# This section contains recommendations related to developing applications that interface with SQL Server. +# +function Test-CLRAssemblyPermissionSet { + <# +.Synopsis + Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies +.DESCRIPTION + CIS SQL Server 2016 Benchmark - 6 Application Development + + 6.2 - Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies. + + Setting CLR Assembly Permission Sets to SAFE_ACCESS will prevent assemblies from accessing external system resources such as files, the network, environment variables, or the registry. + + Assemblies with EXTERNAL_ACCESS or UNSAFE permission sets can be used to access sensitive areas of the operating system, steal and/or transmit data and alter the state and other protection measures of the underlying Windows Operating System. Assemblies which are Microsoft-created (is_user_defined = 0) are excluded from this check as they are required for overall system functionality. +#> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("6.2") + $obj | Add-Member NoteProperty Task("Ensure 'CLR Assembly Permission Set' is set to 'SAFE_ACCESS' for All CLR Assemblies") + + $query = "SELECT name, + permission_set_desc + FROM sys.assemblies + where is_user_defined = 1;" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $assemblies = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $assemblies = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + $unSafeAssemblies = @() + foreach ($assembly in $assemblies) { + if ($assembly.permission_set_desc -ne "SAFE_ACCESS") { + $unSafeAssemblies += $assembly + } + } + if ($unSafeAssemblies.Count -gt 0 ) { + $obj | Add-Member NoteProperty Status("Found unsafe assmblies: " + $unSafeAssemblies) + $obj | Add-Member NoteProperty Audit("False") + } + else { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + Write-Output $obj +} +#endregion + +#region 7 Encryption +# +# These recommendations pertain to encryption-related aspects of SQL Server. +# +function Test-SQLSymmetricKeyEncryptionAlgorithm { + <# + .Synopsis + Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 7 Encryption + + 7.1 Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases + + Per the Microsoft Best Practices, only the SQL Server AES algorithm options, AES_128, AES_192, and AES_256, should be used for a symmetric key encryption algorithm. + + The following algorithms (as referred to by SQL Server) are considered weak or deprecated and should no longer be used in SQL Server: DES, DESX, RC2, RC4, RC4_128. + Many organizations may accept the Triple DES algorithms (TDEA) which use keying options 1 (3 key aka 3TDEA) or keying option 2 (2 key aka 2TDEA). In SQL Server, these are referred to as TRIPLE_DES_3KEY and TRIPLE_DES respectively. Additionally, the SQL Server algorithm named DESX is actually the same implementation as the TRIPLE_DES_3KEY option. However, using the DESX identifier as the algorithm type has been deprecated and its usage is now discouraged. + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $databases = Get-SqlDatabase -ServerInstance $InstanceName -ErrorAction Stop | Where-Object {$_.IsSystemObject -ne "true"} | Select-Object -ExpandProperty name + } + else { + $databases = Get-SqlDatabase -ServerInstance $MachineName -ErrorAction Stop | Where-Object {$_.IsSystemObject -ne "true"} | Select-Object -ExpandProperty name + } + + if ($databases.Count -eq 0) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.1") + $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") + $obj | Add-Member NoteProperty Status("No databases found") + $obj | Add-Member NoteProperty Audit("True") + return $obj + } + $index = 1 + + foreach ($database in $databases) { + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.1.$index") + $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher for database $database") + + + $query = "USE [$database] + GO + SELECT db_name() AS db_name, name AS Key_Name + FROM sys.symmetric_keys + WHERE algorithm_desc NOT IN ('AES_128','AES_192','AES_256') + AND db_id() > 4; + GO" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Got $sqlResult") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + + Write-Output $obj + + $index++ + } + } + catch { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.1") + $obj | Add-Member NoteProperty Task("Ensure 'Symmetric Key encryption algorithm' is set to 'AES_128' or higher in non-system databases") + $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } +} + +function Test-SQLAsymmetricKeySize { + <# + .Synopsis + Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 7 Encryption + + 7.2 Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases + + Microsoft Best Practices recommend to use at least a 2048-bit encryption algorithm for asymmetric keys. + + The RSA_2048 encryption algorithm for asymmetric keys in SQL Server is the highest bitlevel provided and therefore the most secure available choice (other choices are RSA_512 and RSA_1024). + #> + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME, + + [string] $InstanceName = "$machineName\$sqlInstance" + ) + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $databases = Get-SqlDatabase -ServerInstance $InstanceName -ErrorAction Stop | Where-Object {$_.IsSystemObject -ne "true"} | Select-Object -ExpandProperty name + } + else { + $databases = Get-SqlDatabase -ServerInstance $MachineName -ErrorAction Stop | Where-Object {$_.IsSystemObject -ne "true"} | Select-Object -ExpandProperty name + } + + if ($databases.Count -eq 0) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.2") + $obj | Add-Member NoteProperty Task("Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases") + $obj | Add-Member NoteProperty Status("No databases found") + $obj | Add-Member NoteProperty Audit("True") + return $obj + } + + $index = 1 + + foreach ($database in $databases) { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.2.$index") + $obj | Add-Member NoteProperty Task("Ensure CONNECT permissions on the 'guest' user is revoked for database $database") + + $query = "USE [$database] + GO + SELECT db_name() AS db_name, name AS Key_Name + FROM sys.symmetric_keys + WHERE key_length < 2048 + AND db_id() > 4; + GO" + + try { + if ($PsCmdlet.ParameterSetName -eq "ByInstance" -and $sqlInstance -ne "MSSQLSERVER") { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $instanceName -ErrorAction Stop + } + else { + $sqlResult = Invoke-Sqlcmd -Query $query -ServerInstance $MachineName -ErrorAction Stop + } + if ( $null -eq $sqlResult ) { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("Got $sqlResult") + $obj | Add-Member NoteProperty Audit("False") + } + } + catch [System.Data.SqlClient.SqlException] { + $obj | Add-Member NoteProperty Status("Server Instance not found or accessible") + $obj | Add-Member NoteProperty Audit("Warning") + } + + + Write-Output $obj + + $index++ + } + + } + catch { + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("7.2") + $obj | Add-Member NoteProperty Task("Ensure Asymmetric Key Size is set to 'greater than or equal to 2048' in non-system databases") + $obj | Add-Member NoteProperty Status("Failed to connect to server $instanceName") + $obj | Add-Member NoteProperty Audit("Warning") + Write-Output $obj + } +} + +#endregion + +#region 8 Appendix: Additional Considerations +# +# This appendix discusses possible configuration options for which no recommendation is being given. +# +function Test-SQLServerBrowserService { + <# + .Synopsis + Ensure 'SQL Server Browser Service' is configured correctly + .DESCRIPTION + CIS SQL Server 2016 Benchmark - 8 Appendix: Additional Considerations + + 8.1 Ensure 'SQL Server Browser Service' is configured correctly + + No recommendation is being given on disabling the SQL Server Browser service. + #> + [CmdletBinding()] + + $obj = New-Object PSObject + $obj | Add-Member NoteProperty ID("8.1") + $obj | Add-Member NoteProperty Task("Ensure 'SQL Server Browser Service' is configured correctly") + + try { + $sqlBrowserService = Get-Service -name 'sqlbrowser' + + if ($sqlBrowserService.Status -eq 'stopped') { + if ($sqlBrowserService.StartType -eq 'Disabled') { + $obj | Add-Member NoteProperty Status("All good") + $obj | Add-Member NoteProperty Audit("True") + } + else { + $obj | Add-Member NoteProperty Status("StartType: Enabled") + $obj | Add-Member NoteProperty Audit("Warning") + } + } + else { + $obj | Add-Member NoteProperty Audit("False") + if ($sqlBrowserService.StartType -eq 'Disabled') { + $obj | Add-Member NoteProperty Status("SQL Server Browser is running") + } + else { + $obj | Add-Member NoteProperty Status("SQL Server Browser is running and StartType: Enabled") + } + } + } + catch [Microsoft.PowerShell.Commands.ServiceCommandException] { + $obj | Add-Member NoteProperty Status("Connot find any service with service name 'sqlbrowser'") + $obj | Add-Member NoteProperty Audit("Warning") + } + Write-Output $obj +} +#endregion + +#region Hyperfunctions +function Convert-ToAuditInfo { + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [Psobject] $auditObject + ) + + process { + Write-Output @{ + Id = $auditObject.ID + Task = $auditObject.Task + Message = $auditObject.Status + Status = $auditObject.Audit + } + } +} +#endregion + +#region Reportgeneration +function Get-SQL2016AuditInfos { + [CmdletBinding(DefaultParameterSetName = "Default")] + param( + [Parameter(Mandatory = $true, ParameterSetName = "ByInstance")] + [string] $SqlInstance, + + [string] $MachineName = $env:COMPUTERNAME + ) + + switch ($PsCmdlet.ParameterSetName) { + "ByInstance" { + $sqlInstances = $sqlInstance + break + } + "Default" { + $smo = 'Microsoft.SqlServer.Management.Smo.' + $wmi = New-Object ($smo + 'Wmi.ManagedComputer') + $singleWmi = $wmi | Where-Object { $_.Name -eq $machineName } + $sqlServer = $singleWmi.Services | Where-Object { $_.Type -eq "SqlServer" } + $sqlInstances = $sqlServer ` + | Foreach-Object { $_.Name.Substring($_.Name.IndexOf('$') + 1) } ` + # | Where-Object { $_ -ne "MSSQLSERVER" } + } + } + + $InstanceAudits = @() + foreach ($sqlInstance in $sqlInstances) { + $auditInfos = @() + + # Section 2 + $auditInfos += Test-SQLAdHocDistributedQueriesDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLClrEnabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLCrossDBOwnershipDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLDatabaseMailXPsDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLOleAutomationProceduresDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLRemoteAccessDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLRemoteAdminConnectionsDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLScanForStartupProcsDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLTrustworthyDatabaseOff -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLServerProtocolsDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLUseNonStandardPorts -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLHideInstanceEnabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLSaLoginAccountDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLSaLoginAccountRenamed -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLXpCommandShellDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLAutoCloseOff -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLNoSaAccounnt -MachineName $machineName -SqlInstance $sqlInstance + + # Section 3 + $auditInfos += Test-SQLServerAuthentication -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLGuestPermissionOnDatabases -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLDropOrphanedUsers -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLAuthenticationDisabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLServerServiceAccountIsNotAnAdministrator -MachineName $machineName + $auditInfos += Test-SQLAgentServiceAccountIsNotAnAdministrator -MachineName $machineName + $auditInfos += Test-SQLFullTextServiceAccountIsNotAnAdministrator -MachineName $machineName + $auditInfos += Test-SQLPermissionsForRolePublic -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLWindowsBuiltinNoSqlLogin -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLWindowsLocalGroupsNoSqlLogin -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLPublicRoleMsdbDatabase -MachineName $machineName -SqlInstance $sqlInstance + + # Section 4 + $auditInfos += Test-SQLMustChangeOptionIsOn -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLCheckExpirationOptionOn -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLCheckPolicyOptionOn -MachineName $machineName -SqlInstance $sqlInstance + + # Section 5 + $auditInfos += Test-SQLMaximumNumberOfErrorLogFiles -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLDefaultTraceEnabled -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLLoginAuditingIsSetToFailedLogins -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLLoginAuditingIsSetToFailedAndSuccessfulLogins -MachineName $machineName -SqlInstance $sqlInstance + + # Section 6 + $auditInfos += Test-CLRAssemblyPermissionSet -MachineName $machineName -SqlInstance $sqlInstance + + # Section 7 + $auditInfos += Test-SQLSymmetricKeyEncryptionAlgorithm -MachineName $machineName -SqlInstance $sqlInstance + $auditInfos += Test-SQLAsymmetricKeySize -MachineName $machineName -SqlInstance $sqlInstance + + # Section 8 + $auditInfos += Test-SQLServerBrowserService + + $InstanceAudits += @{ + InstanceName = $sqlInstance + AuditInfos = $auditInfos | Convert-ToAuditInfo + } + } + + return $InstanceAudits +} + +switch ($PsCmdlet.ParameterSetName) { + "ByInstance" { + $InstanceAudits = (Get-SQL2016AuditInfos -SqlInstance $sqlInstance -MachineName $machineName) + break + } + "ByAuditInfo" { + break + } + "Default" { + $InstanceAudits = (Get-SQL2016AuditInfos) + } +} + +[Report] @{ + Title = "SQL 2016 Benchmarks" + ModuleName = "ATAPAuditor" + BasedOn = "CIS Microsoft SQL Server 2016 Benchmark, Version: 1.0.0, Date: 2017-11-08" + Sections = @( + foreach ($InstanceAudit in $InstanceAudits) { + [ReportSection] @{ + Title = $InstanceAudit.InstanceName + Description = "This section contains the audits for the sqlInstance $($InstanceAudit.InstanceName)" + SubSections = @( + [ReportSection] @{ + Title = "2 Surface Area Reduction" + Description = "SQL Server offers various configuration options, some of them can be controlled by the sp_configure stored procedure. This section contains the listing of the corresponding recommendations." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "2.*"} + } + [ReportSection] @{ + Title = "3 Authentication and Authorization" + Description = "This section contains recommendations related to SQL Server's authentication and authorization mechanisms." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "3.*"} + } + [ReportSection] @{ + Title = "4 Password Policies" + Description = "This section contains recommendations related to SQL Server's password policies." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "4.*"} + } + [ReportSection] @{ + Title = "5 Auditing and Logging" + Description = "This section contains recommendations related to SQL Server's audit and logging mechanisms." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "5.*"} + } + [ReportSection] @{ + Title = "6 Application Development" + Description = "This section contains recommendations related to developing applications that interface with SQL Server." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "6.*"} + } + [ReportSection] @{ + Title = "7 Encryption" + Description = "These recommendations pertain to encryption-related aspects of SQL Server." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "7.*"} + } + [ReportSection] @{ + Title = "8 Appendix: Additional Considerations" + Description = "This appendix discusses possible configuration options for which no recommendation is being given." + AuditInfos = $InstanceAudit.AuditInfos | Where-Object {$_.Id -like "8.*"} + } + ) + } + } + ) +} +#endregion diff --git a/ATAPAuditor/Reports/Microsoft Windows 10 BSI.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10 BSI.ps1 new file mode 100644 index 0000000..a83242e --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10 BSI.ps1 @@ -0,0 +1,114 @@ +[Report] @{ + Title = "Windows 10 BSI Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "BSI Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "BSI SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS Logging' + Description = "This section contains all BSI logging recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies" + } + ) + } + try { + # Get domain role + # 0 {"Standalone Workstation"} + # 1 {"Member Workstation"} + # 2 {"Standalone Server"} + # 3 {"Member Server"} + # 4 {"Backup Domain Controller"} + # 5 {"Primary Domain Controller"} + $domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole + } catch { + $domainRole = 99 + } + # if system is Member Workstation + if ($domainRole -eq 1) { + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS HD' + Description = "This section contains all BSI HD recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions" + } + ) + } + } else { + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS NE' + Description = "This section contains all BSI NE recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions" + } + ) + } + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHus-BSI Telemetrie' + Description = "This section contains all BSI telemetry recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 new file mode 100644 index 0000000..223b19f --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10 GDPR.ps1 @@ -0,0 +1,50 @@ +[Report] @{ + Title = "Windows 10 GDPR Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + 'Bundesamt für Sicherheit in der Informationstechnik (BSI), Version: V1.2, Date: 2020-04-27' + 'GDPR settings by Microsoft, Version: 16082019, Date: 2019-08-16' + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "BSI Recommendations" + Description = "This section contains the Telemetry-Recommendations of the Federal Office for Information Security (BSI)" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings" + AuditInfos = Test-AuditGroup "Microsoft Windows 10 GDPR-MS-16082019#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "Data Protection Microsoft" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Telemetry" + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 10 Stand-alone.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10 Stand-alone.ps1 new file mode 100644 index 0000000..c0cf77d --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10 Stand-alone.ps1 @@ -0,0 +1,103 @@ +[Report] @{ + Title = "Windows 10 Stand-alone Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 2.0.0, Date: 2023-05-17" + "BSI Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "BSI SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Stand-alone Benchmarks' + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Stand-alone-CIS-2.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Stand-alone-CIS-2.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Stand-alone-CIS-2.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Stand-alone-CIS-2.0.0#SecurityOptions" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Stand-alone-CIS-2.0.0#UserRights" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS Logging' + Description = 'This section contains the BSI Benchmark results.' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHus-BSI Telemetrie' + Description = 'This section contains the BSI Benchmark results.' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS NE' + Description = 'This section contains the BSI Benchmark results.' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 10.ps1 b/ATAPAuditor/Reports/Microsoft Windows 10.ps1 new file mode 100644 index 0000000..65f9cfd --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 10.ps1 @@ -0,0 +1,199 @@ +[Report] @{ + Title = "Windows 10 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 10 Enterprise, Version: 3.0.0, Date: 2024-02-22" + "Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18" + "BSI Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "BSI SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "DISA Windows 10 Security Technical Implementation Guide, Version: V1R23, Date: 2019-10-25" + "ACSC Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2021, Date 2021-10-01" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-3.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-3.0.0#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-3.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-3.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-CIS-3.0.0#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'Microsoft Benchmarks' + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Microsoft-21H1#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Microsoft-21H1#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Microsoft-21H1#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Microsoft-21H1#AuditPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-Microsoft-21H1#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS Logging' + Description = 'This section contains all BSI logging recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies" + } + ) + } + try { + # Get domain role + # 0 {"Standalone Workstation"} + # 1 {"Member Workstation"} + # 2 {"Standalone Server"} + # 3 {"Member Server"} + # 4 {"Backup Domain Controller"} + # 5 {"Primary Domain Controller"} + $domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole + } catch { + $domainRole = 99 + } + # if system is Member Workstation + if ($domainRole -eq 1) { + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS HD' + Description = 'This section contains all BSI HD recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions" + } + ) + } + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHus-BSI Telemetrie' + Description = 'This section contains all BSI telemetry recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R23#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R23#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R23#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R23#AuditPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-DISA-V1R23#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'ACSC Benchmarks' + Description = "This section contains all ACSC recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-ACSC-21H1#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-ACSC-21H1#AuditPolicies" + } + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-ACSC-21H1#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-ACSC-21H1#SecurityOptions" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10-ACSC-21H1#UserRights" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 11 Stand-alone.ps1 b/ATAPAuditor/Reports/Microsoft Windows 11 Stand-alone.ps1 new file mode 100644 index 0000000..c2f0a14 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 11 Stand-alone.ps1 @@ -0,0 +1,103 @@ +[Report] @{ + Title = "Windows 11 Stand-alone Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 2.0.0, Date: 2023-05-04" + "BSI Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "BSI SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2019-07-31" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Stand-alone Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Stand-alone-CIS-2.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Stand-alone-CIS-2.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Stand-alone-CIS-2.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Stand-alone-CIS-2.0.0#SecurityOptions" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Stand-alone-CIS-2.0.0#UserRights" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS Logging' + Description = 'This section contains all BSI logging recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHus-BSI' + Description = 'This section contains all BSI telemetry recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS NE' + Description = 'This section contains all BSI NE recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Reports/Microsoft Windows 11.ps1 b/ATAPAuditor/Reports/Microsoft Windows 11.ps1 new file mode 100644 index 0000000..dad6094 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 11.ps1 @@ -0,0 +1,168 @@ +[Report] @{ + Title = "Windows 11 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 11 Enterprise 4.0.0 Benchmark, Version: 4.0.0, Date: 2025-03-19" + "Microsoft Security baseline for Microsoft Windows 11, Version: 22H2, Date: 2022-09-20" + "BSI Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "BSI SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2019-07-31" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-CIS-4.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-CIS-4.0.0#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-CIS-4.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-CIS-4.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-CIS-4.0.0#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = "Microsoft Benchmarks" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Microsoft-22H2#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Microsoft-22H2#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Microsoft-22H2#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Microsoft-22H2#AuditPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 11-Microsoft-22H2#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS Logging' + Description = 'This section contains all BSI logging recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS Logging-BSI-1.3#AuditPolicies" + } + ) + } + try { + # Get domain role + # 0 {"Standalone Workstation"} + # 1 {"Member Workstation"} + # 2 {"Standalone Server"} + # 3 {"Member Server"} + # 4 {"Backup Domain Controller"} + # 5 {"Primary Domain Controller"} + $domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole + } catch { + $domainRole = 99 + } + # if system is Member Workstation + if ($domainRole -eq 1) { + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS HD' + Description = 'This section contains all BSI HD recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS HD-BSI-1.3#SecurityOptions" + } + ) + } + } else { + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHuS NE' + Description = 'This section contains all BSI NE recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#RegistrySettings" + } + [ReportSection] @{ + Title = 'User Rights Assignment' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#UserRights" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#AccountPolicies" + } + [ReportSection] @{ + Title = 'Security Options' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHuS NE-BSI-1.3#SecurityOptions" + } + ) + } + } + [ReportSection] @{ + Title = 'BSI Benchmarks SiSyPHus-BSI' + Description = 'This section contains all BSI telemetry recommendations' + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 10 SiSyPHus-Telemetrie-BSI-V1.2#RegistrySettings" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows 7.ps1 b/ATAPAuditor/Reports/Microsoft Windows 7.ps1 new file mode 100644 index 0000000..43a1bc9 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows 7.ps1 @@ -0,0 +1,47 @@ +[Report] @{ + Title = "Windows 7 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows 7 Workstation Benchmark, Version: 3.1.0, Date: 2018-03-02" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Registry Settings/Group Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 7-CIS-3.1.0#RegistrySettings" + } + [ReportSection] @{ + Title = 'Account Policies' + AuditInfos = Test-AuditGroup "Microsoft Windows 7-CIS-3.1.0#AccountPolicies" + } + [ReportSection] @{ + Title = 'Advanced Audit Policy Configuration' + AuditInfos = Test-AuditGroup "Microsoft Windows 7-CIS-3.1.0#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2012.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2012.ps1 new file mode 100644 index 0000000..f05f961 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2012.ps1 @@ -0,0 +1,76 @@ + +[Report] @{ + Title = "Windows Server 2012 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows Server 2012 R2 Benchmark, Version: 3.0.0, Date: 2023-10-20", + "DISA Microsoft Windows Server 2012 R2 Benchmark, Version: V2R19, Date: 2020-07-17", + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-CIS-3.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-CIS-3.0.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-CIS-3.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-CIS-3.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-CIS-3.0.0#SecurityOptions" + } + ) + } + + [ReportSection] @{ + Title = "DISA Benchmarks" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-DISA-V2R19#RegistrySettings" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-DISA-V2R19#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2012 R2-DISA-V2R19#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 new file mode 100644 index 0000000..56f83e5 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2016.ps1 @@ -0,0 +1,102 @@ + +[Report] @{ + Title = "Windows Server 2016 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows Server 2016 Benchmark, Version: 3.0.0, Date: 2024-04-19" + "Microsoft Security baseline for Windows Server 2016, Version: FINAL, Date 2016-10-17" + "DISA Windows Server 2016 Security Technical Implementation Guide, Version: V1R12, Date: 2020-06-17" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-3.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-3.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-3.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-3.0.0#SecurityOptions" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-CIS-3.0.0#UserRights" + } + ) + } + [ReportSection] @{ + Title = "Microsoft Benchmarks" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-Microsoft-FINAL#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-Microsoft-FINAL#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-Microsoft-FINAL#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-Microsoft-FINAL#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R12#AccountPolicies" + }, + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R12#SecurityOptions" + }, + [ReportSection] @{ + Title = "Registry Permissions" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R12#RegistrySettings" + }, + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2016-DISA-V1R12#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 new file mode 100644 index 0000000..e0b4f38 --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2019.ps1 @@ -0,0 +1,106 @@ + +[Report] @{ + Title = "Windows Server 2019 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows Server 2019 Benchmark, Version: 3.0.0, Date: 2024-03-19" + "Microsoft Security baseline for Windows Server 2019, Version: FINAL, Date 2019-06-18" + "DISA Windows Server 2019 Security Technical Implementation Guide, Version: V1R5, Date: 2020-06-17" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-3.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-3.0.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-3.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-3.0.0#SecurityOptions" + } + [ReportSection] @{ + Title = " Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-CIS-3.0.0#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = "Microsoft Benchmarks" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-Microsoft-FINAL#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-Microsoft-FINAL#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-Microsoft-FINAL#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-Microsoft-FINAL#AuditPolicies" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-Microsoft-FINAL#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = "DISA Recommendations" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R5#RegistrySettings" + }, + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R5#AccountPolicies" + }, + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R5#SecurityOptions" + }, + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2019-DISA-V1R5#AuditPolicies" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2022.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2022.ps1 new file mode 100644 index 0000000..0d48f0e --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2022.ps1 @@ -0,0 +1,106 @@ + +[Report] @{ + Title = "Windows Server 2022 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows Server 2022, Version: 3.0.0, Date 2023-04-14" + "Microsoft Security baseline for Microsoft Windows Server 2022, Version: FINAL, Date 2021-09-27" + "DISA Windows Server 2022, Version: V1R1, Date 2022-09-28" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-CIS-3.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-CIS-3.0.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-CIS-3.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-CIS-3.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-CIS-3.0.0#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = "Microsoft Benchmarks" + Description = "This section contains all Microsoft recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-Microsoft-FINAL#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-Microsoft-FINAL#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-Microsoft-FINAL#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-Microsoft-FINAL#AuditPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-Microsoft-FINAL#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = "DISA Benchmarks" + Description = "This section contains all DISA recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-DISA-V1R1#RegistrySettings" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-DISA-V1R1#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-DISA-V1R1#AuditPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2022-DISA-V1R1#SecurityOptions" + } + ) + } + [ReportSection] @{ + Title = 'FB Pro recommendations' + Description = "This section contains all FB Pro recommendations" + SubSections = @( + [ReportSection] @{ + Title = 'Ciphers Suites and Hashes' + AuditInfos = Test-AuditGroup "CiphersProtocolsHashesBenchmark-FBPro-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - Registry Settings' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#RegistrySettings" + } + [ReportSection] @{ + Title = 'Enhanced security settings - User Rights' + AuditInfos = Test-AuditGroup "Microsoft Windows Enhanced Security Settings-FB Pro GmbH-1.2.1#UserRights" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Microsoft Windows Server 2025.ps1 b/ATAPAuditor/Reports/Microsoft Windows Server 2025.ps1 new file mode 100644 index 0000000..cfbdcfe --- /dev/null +++ b/ATAPAuditor/Reports/Microsoft Windows Server 2025.ps1 @@ -0,0 +1,38 @@ + +[Report] @{ + Title = "Windows Server 2025 Audit Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Microsoft Windows Server 2025, Version: 1.0.0, Date 2025-03-19" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.2.1, Date: 2023-11-03" + "FB Pro recommendations 'Enhanced settings', Version 1.2.1, Date: 2023-11-03" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains all CIS recommendations" + SubSections = @( + [ReportSection] @{ + Title = "Registry Settings/Group Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2025-CIS-1.0.0#RegistrySettings" + } + [ReportSection] @{ + Title = "User Rights Assignment" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2025-CIS-1.0.0#UserRights" + } + [ReportSection] @{ + Title = "Account Policies" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2025-CIS-1.0.0#AccountPolicies" + } + [ReportSection] @{ + Title = "Advanced Audit Policy Configuration" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2025-CIS-1.0.0#AuditPolicies" + } + [ReportSection] @{ + Title = "Security Options" + AuditInfos = Test-AuditGroup "Microsoft Windows Server 2025-CIS-1.0.0#SecurityOptions" + } + ) + } + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Reports/Mozilla Firefox.ps1 b/ATAPAuditor/Reports/Mozilla Firefox.ps1 new file mode 100644 index 0000000..6cb74c6 --- /dev/null +++ b/ATAPAuditor/Reports/Mozilla Firefox.ps1 @@ -0,0 +1,873 @@ +<# +BSD 3-Clause License + +Copyright (c) 2023, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +#region Import tests configuration settings +$CisBenchmarks = @{ + FirefoxLockPrefSettings = @( + @{ + Id = "2.1" + Task = "Enable Automatic Updates" + LockPrefs = @( + @{ Name = "app.update.auto"; Value = $true } + @{ Name = "app.update.enabled"; Value = $true } + @{ Name = "app.update.staging.enabled"; Value = $true } + ) + } + @{ + Id = "2.2" + Task = "Enable Auto-Notification of Outdated Plugins" + LockPrefs = @( + @{ Name = "plugins.update.notifyUser"; Value = $true } + ) + } + @{ + Id = "2.3" + Task = "Enable Information Bar for Outdated Plugins" + LockPrefs = @( + @{ Name = "plugins.hide_infobar_for_outdated_plugin"; Value = $false } + ) + } + @{ + Id = "2.4" + Task = "Set Update Interval Time Checks" + LockPrefs = @( + @{ Name = "app.update.interval"; Value = 43200 } + ) + } + @{ + Id = "2.5" + Task = "Set Update Wait Time Prompt" + LockPrefs = @( + @{ Name = "app.update.promptWaitTime"; Value = 172800 } + ) + } + @{ + Id = "2.6" + Task = "Ensure Update-related UI Components are Displayed" + LockPrefs = @( + @{ Name = "app.update.silent"; Value = $false } + ) + } + @{ + Id = "2.7" + Task = "Set Search Provider Update Behavior" + LockPrefs = @( + @{ Name = "app.update.auto"; Value = $true } + @{ Name = "app.update.enabled"; Value = $true } + ) + } + # @{ + # Id = "3.1" + # Task = "Validate Proxy Settings" + # } + @{ + Id = "3.2" + Task = "Do Not Send Cross SSLTLS Referrer Header" + LockPrefs = @( + @{ Name = "network.http.sendSecureXSiteReferrer"; Value = $false } + ) + } + @{ + Id = "3.3" + Task = "Disable NTLM v1" + LockPrefs = @( + @{ Name = "network.auth.force-generic-ntlm-v1"; Value = $false } + ) + } + @{ + Id = "3.4" + Task = "Enable Warning For Phishy URLs" + LockPrefs = @( + @{ Name = "network.http.phishy-userpass-length"; Value = 1 } + ) + } + @{ + Id = "3.5" + Task = "Enable IDN Show Punycode" + LockPrefs = @( + @{ Name = "network.IDN_show_punycode"; Value = $true } + ) + } + @{ + Id = "3.6" + Task = "Set File URI Origin Policy" + LockPrefs = @( + @{ Name = "security.fileuri.strict_origin_policy"; Value = $true } + ) + } + @{ + Id = "3.7" + Task = "Disable Cloud Sync" + LockPrefs = @( + @{ Name = "services.sync.enabled"; Value = $false } + ) + } + @{ + Id = "3.8" + Task = "Disable WebRTC" + LockPrefs = @( + @{ Name = "media.peerconnection.enabled"; Value = $false } + @{ Name = "media.peerconnection.use_document_iceservers"; Value = $false } + ) + } + @{ + Id = "4.1" + Task = "Set SSL Override Behavior" + LockPrefs = @( + @{ Name = "browser.ssl_override_behavior"; Value = 0 } + ) + } + @{ + Id = "4.2" + Task = "Set Security TLS Version Maximum" + LockPrefs = @( + @{ Name = "security.tls.version.max"; Value = 3 } + ) + } + @{ + Id = "4.3" + Task = "Set Security TLS Version Minimum " + LockPrefs = @( + @{ Name = "security.tls.version.min"; Value = 1 } + ) + } + @{ + Id = "4.4" + Task = "Set OCSP Use Policy" + LockPrefs = @( + @{ Name = "security.OCSP.enabled"; Value = 1 } + ) + } + @{ + Id = "4.5" + Task = "Block Mixed Active Content" + LockPrefs = @( + @{ Name = "security.mixed_content.block_active_content"; Value = $true } + ) + } + @{ + Id = "4.6" + Task = "Set OCSP Response Policy" + LockPrefs = @( + @{ Name = "security.OCSP.require"; Value = $true } + ) + } + @{ + Id = "5.1" + Task = "Disallow JavaScripts Ability to Change the Status Bar Text" + LockPrefs = @( + @{ Name = "dom.disable_window_status_change"; Value = $true } + ) + } + @{ + Id = "5.2" + Task = "Disable Scripting of Plugins by JavaScript" + LockPrefs = @( + @{ Name = "security.xpconnect.plugin.unrestricted"; Value = $false } + ) + } + @{ + Id = "5.3" + Task = "Disallow JavaScripts Ability to Hide the Address Bar" + LockPrefs = @( + @{ Name = "dom.disable_window_open_feature.location"; Value = $true } + ) + } + @{ + Id = "5.4" + Task = "Disallow JavaScripts Ability to Hide the Status Bar" + LockPrefs = @( + @{ Name = "dom.disable_window_open_feature.status"; Value = $true } + ) + } + @{ + Id = "5.5" + Task = "Disable Closing of Windows via Scripts" + LockPrefs = @( + @{ Name = "dom.allow_scripts_to_close_windows"; Value = $false } + ) + } + @{ + Id = "5.6" + Task = "Block Pop-up Windows" + LockPrefs = @( + @{ Name = "privacy.popups.policy"; Value = 1 } + ) + } + @{ + Id = "5.7" + Task = "Disable Displaying JavaScript in History URLs" + LockPrefs = @( + @{ Name = "browser.urlbar.filter.javascript"; Value = $true } + ) + } + @{ + Id = "6.1" + Task = "Disallow Credential Storage" + LockPrefs = @( + @{ Name = "signon.rememberSignons"; Value = $false } + ) + } + @{ + Id = "6.2" + Task = "Do Not Accept Third Party Cookies" + LockPrefs = @( + @{ Name = "network.cookie.cookieBehavior"; Value = 1 } + ) + } + @{ + Id = "6.3" + Task = "Tracking Protection" + LockPrefs = @( + @{ Name = "privacy.donottrackheader.enabled"; Value = $true } + @{ Name = "privacy.donottrackheader.value"; Value = 1 } + @{ Name = "privacy.trackingprotection.enabled"; Value = $true } + @{ Name = "privacy.trackingprotection.pbmode"; Value = $true } + ) + } + @{ + Id = "6.4" + Task = "Set Delay for Enabling Security Sensitive Dialog Boxes" + LockPrefs = @( + @{ Name = "security.dialog_enable_delay"; Value = 2000 } + ) + } + @{ + Id = "6.5" + Task = "Disable Geolocation Serivces" + LockPrefs = @( + @{ Name = "geo.enabled"; Value = $false } + ) + } + @{ + Id = "7.1" + Task = "Secure Application Plug-ins" + LockPrefs = @( + @{ Name = "browser.helperApps.alwaysAsk.force"; Value = $true } + ) + } + @{ + Id = "7.2" + Task = "Disabling Auto-Install of Add-ons" + LockPrefs = @( + @{ Name = "xpinstall.whitelist.required"; Value = $true } + ) + } + @{ + Id = "7.3" + Task = "Enable Extension Block List" + LockPrefs = @( + @{ Name = "extensions.blocklist.enabled"; Value = $true } + ) + } + @{ + Id = "7.4" + Task = "Set Extension Block List Interval" + LockPrefs = @( + @{ Name = "extensions.blocklist.interval"; Value = 86400 } + ) + } + @{ + Id = "7.5" + Task = "Enable Warning for External Protocol Handler" + LockPrefs = @( + @{ Name = "network.protocol-handler.warn-external-default"; Value = $true } + ) + } + @{ + Id = "7.6" + Task = "Disable Popups Initiated by Plugins" + LockPrefs = @( + @{ Name = "privacy.popups.disable_from_plugins"; Value = 2 } + ) + } + @{ + Id = "7.7" + Task = "Enable Extension Auto Update" + LockPrefs = @( + @{ Name = "extensions.update.autoUpdateDefault"; Value = $true } + ) + } + @{ + Id = "7.8" + Task = "Enable Extension Update" + LockPrefs = @( + @{ Name = "extensions.update.enabled"; Value = $true } + ) + } + @{ + Id = "7.9" + Task = "Set Extension Update Interval Time Checks" + LockPrefs = @( + @{ Name = "extensions.update.interval"; Value = 86400 } + ) + } + @{ + Id = "8.1" + Task = "Enable Virus Scanning for Downloads" + LockPrefs = @( + @{ Name = "browser.download.manager.scanWhenDone"; Value = $true } + ) + } + @{ + Id = "8.2" + Task = "Disable JAR from Opening Unsafe File Types" + LockPrefs = @( + @{ Name = "network.jar.open-unsafe-types"; Value = $false } + ) + } + @{ + Id = "8.3" + Task = "Block Reported Web Forgeries" + LockPrefs = @( + @{ Name = "browser.safebrowsing.enabled"; Value = $true } + ) + } + @{ + Id = "8.4" + Task = "Block Reported Attack Sites" + LockPrefs = @( + @{ Name = "browser.safebrowsing.malware.enabled"; Value = $true } + ) + } + ) +} + +$DisaRequirements = @{ + # RegistrySettings = @( + # @{ + # Id = "DTBF003" + # Task = "Installed version of Firefox unsupported." + # Path = "HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion" + # Name = "firefox.exe" + # Value = 0 # is equal to or greater than 50.1.x (or ESR 45.7.x) + # } + # ) + FirefoxLockPrefSettings = @( + @{ + Id = "DTBF030" + Task = "Firewall traversal from remote host must be disabled." + LockPrefs = @( + @{ Name = "security.enable_tls"; Value = $true } + @{ Name = "security.tls.version.min"; Value = 2 } + @{ Name = "security.tls.version.max"; Value = 3 } + ) + } + @{ + Id = "DTBF050" + Task = "FireFox is configured to ask which certificate to present to a web site when a certificate is required." + LockPrefs = @( + @{ Name = "security.default_personal_cert"; Value = "Ask Every Time" } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF080" + # Task = "Firefox application is set to auto-update." + # } + @{ + Id = "DTBF085" + Task = "Firefox automatically checks for updated version of installed Search plugins." + LockPrefs = @( + @{ Name = "browser.search.update"; Value = $false } + ) + } + @{ + Id = "DTBF090" + Task = "Firefox automatically updates installed add-ons and plugins." + LockPrefs = @( + @{ Name = "extensions.update.enabled"; Value = $false } + ) + } + @{ + Id = "DTBF105" + Task = "Network shell protocol is enabled in FireFox." + LockPrefs = @( + @{ Name = "network.protocol-handler.external.shell"; Value = $false } + ) + } + # @{ # no longer available + # Id = "DTBF110" + # Task = "Firefox is not configured to prompt a user before downloading and opening required file types." + # } + # @{ # no longer available + # Id = "DTBF130" + # Task = "Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page." + # } + @{ + Id = "DTBF140" + Task = "Firefox formfill assistance option is disabled." + LockPrefs = @( + @{ Name = "browser.formfill.enable"; Value = $false } + ) + } + @{ + Id = "DTBF150" + Task = "Firefox is configured to autofill passwords." + LockPrefs = @( + @{ Name = "signon.autofillForms"; Value = $false } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF160" + # Task = "FireFox is configured to use a password store with or without a master password." + # } + # @{ # Not set - see CIS benchmark 5.4_L1_Disallow_JavaScripts_Ability_to_Hide_the_Status_Bar + # Id = "DTBF180" + # Task = "FireFox is not configured to block pop-up windows. + # } + @{ + Id = "DTBF181" + Task = "FireFox is configured to allow JavaScript to move or resize windows." + LockPrefs = @( + @{ Name = "dom.disable_window_move_resize"; Value = $true } + ) + } + @{ + Id = "DTBF183" + Task = " Firefox is configured to allow JavaScript to disable or replace context menus." + LockPrefs = @( + @{ Name = "dom.event.contextmenu.enabled"; Value = $false } + ) + } + # @{ # Not set - in CIS Benchmarks + # Id = "DTBF184" + # Task = "Firefox is configured to allow JavaScript to hide or change the status bar." + # } + # @{ # no longer available + # Id = "DTBF186" + # Task = "Extensions install must be disabled." + # } + @{ + Id = "DTBF190" + Task = "Background submission of information to Mozilla must be disabled." + LockPrefs = @( + @{ Name = "datareporting.policy.dataSubmissionEnabled"; Value = $false } + @{ Name = "datareporting.healthreport.service.enabled"; Value = $false } + @{ Name = "datareporting.healthreport.uploadEnabled"; Value = $false } + ) + } + ) +} + +#endregion + +#region helper classes +class LockPrefSetting { + [string] $Name + $Value +} +#endregion + +#region Helper functions +function Get-FirefoxInstallDirectory { + if (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\') { + $firefoxPath = 'HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\' + }if (Test-Path 'HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\') { + $firefoxPath = 'HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\' + } + if(-not($null -eq $firefoxPath)){ + $currentFirefox = Get-ChildItem -Path $firefoxPath | Select-Object -Last 1 + $installDir = $currentFirefox | Get-ChildItem | Where-Object PSChildName -EQ "Main" + return $installDir | Get-ItemProperty | Select-Object -ExpandProperty "Install Directory" + } + else{ + Write-Output "Mozilla Firefox is not installed on OS" + } + # $firefoxPath = "HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\" + # if (-not (Test-Path $firefoxPath)) { + # $firefoxPath = "HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\" + # } +} + +function Get-FirefoxLocalSettingsFile { + return "{0}\defaults\pref\local-settings.js" -f (Get-FirefoxInstallDirectory) +} + +function Get-FirefoxMozillaCfgFileName { + $localSettingsFilePath = Get-FirefoxLocalSettingsFile + $content = if (Test-Path $localSettingsFilePath) { Get-Content $localSettingsFilePath } else { $null } + $filename = $content | ForEach-Object { + if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { + return $Matches[1] + } + return $null + } | Where-Object { $null -ne $_ } | Select-Object -Last 1 + + if ($null -eq $filename) { + return "mozilla.cfg" + } + + return $filename +} + +function Get-FirefoxMozillaCfgFile { + return "{0}\{1}" -f (Get-FirefoxInstallDirectory), (Get-FirefoxMozillaCfgFileName) +} + +function Get-FirefoxLockPrefs { + if (-not (Test-Path (Get-FirefoxMozillaCfgFile))) { + return $null + } + + $regex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f @( + "(?true|false)" + "(?\d+)" + "`"(?(\\.|[^`"\\])*)`"" + ) + + $currentLockPrefs = Get-Content (Get-FirefoxMozillaCfgFile) | ForEach-Object { + if ($_ -match $regex) { + $value = $null + if ($Matches.Keys -contains "bool") { + $value = [bool]::Parse($Matches["bool"]) + } + elseif ($Matches.Keys -contains "number") { + $value = [int]::Parse($Matches["number"]) + } + elseif ($Matches.Keys -contains "string") { + $value = $Matches["string"] + } + + [LockPrefSetting]@{ Name = $Matches[1]; Value = $value } + } + } | Where-Object { $null -ne $_ } + + return $currentLockPrefs +} +#endregion + +#region Audit functions +function Get-RegistryAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Path, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Name, + + [Parameter(ValueFromPipelineByPropertyName = $true)] + [AllowEmptyString()] + [object[]] $Value, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [ScriptBlock] $Predicate, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [String] $ExpectedValue, + + [Parameter(ValueFromPipelineByPropertyName = $true)] + [bool] $DoesNotExist = $false + ) + + process { + try { + $regValues = Get-ItemProperty -ErrorAction Stop -Path $Path -Name $Name ` + | Select-Object -ExpandProperty $Name + + if (-not (& $Predicate $regValues)) { + $regValue = $regValues -join ", " + + return @{ + Id = $Id + Task = $Task + Message = "Registry value: $regValue. Differs from allowed value: $ExpectedValue." + Status = "False" + } + } + } + catch [System.Management.Automation.PSArgumentException] { + if ($DoesNotExist) { + return @{ + Id = $Id + Task = $Task + Message = "Compliant. Registry value not set." + Status = "True" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Registry value not found." + Status = "False" + } + } + catch [System.Management.Automation.ItemNotFoundException] { + if ($DoesNotExist) { + return @{ + Id = $Id + Task = $Task + Message = "Compliant. Registry value not set." + Status = "True" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Registry key not found." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } + } +} + +function Get-FirefoxLocalSettingsFileAudit { + $Id = "1.1" + $Task = "Create local-settings.js file" + + if (-not (Test-Path (Get-FirefoxLocalSettingsFile))){ + return @{ + Id = $Id + Task = $Task + Message = "local-settings.js file does not exist." + Status = "False" + } + } + + $generalConfigFilename = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { + $_ -match "^pref\s*\(\s*`"general\.config\.filename`"\s*,\s*`"([\w\-. ]+\.cfg)`"\s*\);" + } + + if ($generalConfigFilename.Count -eq 0) { + return @{ + Id = $Id + Task = $Task + Message = "File does not set 'general.config.filename'" + Status = "False" + } + } + + $generalConfigObscure = Get-Content (Get-FirefoxLocalSettingsFile) | Where-Object { + $_ -match "^pref\s*\(\s*`"general\.config\.obscure_value`"\s*,\s*0\s*\);" + } + + if ($generalConfigObscure.Count -eq 0) { + return @{ + Id = $Id + Task = $Task + Message = "File does not set 'general.config.obscure' = 0" + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } +} + +function Get-FirefoxMozillaCfgFileAudit { + $name = Get-FirefoxMozillaCfgFileName + + $Id = "1.3" + $Task = "Create $name file" + + if (-not (Test-Path (Get-FirefoxMozillaCfgFile))){ + return @{ + Id = $Id + Task = $Task + Message = "$name file does not exist." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant" + Status = "True" + } +} + +function Get-FileAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Path, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [scriptblock] $Predicate + ) + + process { + if (-not (Test-Path $Path)) { + return @{ + Id = $Id + Task = $Task + Message = "File does not exist." + Status = "False" + } + } + + if (-not (&$Predicate (Get-Content $Path))) { + return @{ + Id = $Id + Task = $Task + Message = "File does not match predicate." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant." + Status = "True" + } + } +} + +function Get-LockPrefSettingAudit { + [CmdletBinding()] + Param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Id, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] $Task, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [array] $LockPrefs, + + [LockPrefSetting[]] $CurrentLockPrefs = (Get-FirefoxLockPrefs) + ) + + process { + if ($null -eq $CurrentLockPrefs) { + return @{ + Id = $Id + Task = $Task + Message = "general config does not exist." + Status = "None" + } + } + + $missingLockPrefs = $LockPrefs | Where-Object { + $LockPref = $_ + # LockPref not in currentLockPrefs + ($currentLockPrefs | Where-Object { + ($_.Name -eq $LockPref.Name) -and ($_.Value -is $LockPref.Value.GetType()) -and ($_.Value -eq $LockPref.Value) + }).Count -eq 0 + } + + if ($missingLockPrefs.Count -gt 0) { + $msg = ($missingLockPrefs | ForEach-Object { "lockPref(`"{0}`", {1})" -f $_.Name, $_.Value }) -join "; " + + return @{ + Id = $Id + Task = $Task + Message = "Missing lockprefs: $msg." + Status = "False" + } + } + + return @{ + Id = $Id + Task = $Task + Message = "Compliant." + Status = "True" + } + } +} +#endregion + +$currentLockPrefs = Get-FirefoxLockPrefs + +[Report] @{ + Title = 'Mozilla Firefox Audit Report' + ModuleName = 'ATAPAuditor' + BasedOn = @( + 'CIS Mozilla Firefox 38 ESR Benchmark, Version: 1.0.0, Date: 2015-12-31' + 'DISA Mozilla FireFox Security Technical Implementation Guide, Version: V4R24, Date: 2019-01-25' + ) + Sections = @( + [ReportSection] @{ + Title = 'CIS Benchmarks' + Description = 'This section contains all CIS benchmarks' + Subsections = @( + [ReportSection] @{ + Title = "Configure Locked Preferences" + AuditInfos = @( + Get-FirefoxLocalSettingsFileAudit + # missing 1.2 + Get-FirefoxMozillaCfgFileAudit + # missing 1.4 + # missing 1.5 + ) + } + [ReportSection] @{ + Title = "Preference Settings" + AuditInfos = foreach ($setting in $CisBenchmarks.FirefoxLockPrefSettings) { + $obj = New-Object -TypeName psobject -Property $setting + Write-Output ($obj | Get-LockPrefSettingAudit -CurrentLockPrefs $currentLockPrefs) + } + } + ) + } + [ReportSection] @{ + Title = 'DISA Recommendations' + Description = 'This section contains all DISA recommendations' + Subsections = @( + [ReportSection] @{ + Title = "Preference Settings" + AuditInfos = foreach ($setting in $DisaRequirements.FirefoxLockPrefSettings) { + $obj = New-Object -TypeName psobject -Property $setting + Write-Output ($obj | Get-LockPrefSettingAudit -CurrentLockPrefs $currentLockPrefs) + } + } + ) + } + ) +} \ No newline at end of file diff --git a/ATAPAuditor/Reports/Red Hat Enterprise Linux 9.ps1 b/ATAPAuditor/Reports/Red Hat Enterprise Linux 9.ps1 new file mode 100644 index 0000000..d03730e --- /dev/null +++ b/ATAPAuditor/Reports/Red Hat Enterprise Linux 9.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Red Hat Enterprise Linux 9" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Red Hat Enterprise Linux 9 version 2.0.0" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'CIS Red Hat Enterprise Linux 9' + AuditInfos = Test-AuditGroup "Red Hat Enterprise Linux 9-CIS-2.0.0" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/SUSE 15.ps1 b/ATAPAuditor/Reports/SUSE 15.ps1 new file mode 100644 index 0000000..f4ec3f1 --- /dev/null +++ b/ATAPAuditor/Reports/SUSE 15.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "SUSE Enterprise 15" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS SUSE Linux 15 version 1.1.1" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'CIS SUSE Linux 15' + AuditInfos = Test-AuditGroup "SUSE Linux Enterprise 15-CIS-1.1.1" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Ubuntu 20.04.ps1 b/ATAPAuditor/Reports/Ubuntu 20.04.ps1 new file mode 100644 index 0000000..c2cc9f1 --- /dev/null +++ b/ATAPAuditor/Reports/Ubuntu 20.04.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Ubuntu 20.04 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Ubuntu Linux 20.04 version 1.1.0" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'CIS Ubuntu Linux 20.04' + AuditInfos = Test-AuditGroup "Ubuntu Linux 20.04-CIS-1.1.0" + } + ) + } + ) +} diff --git a/ATAPAuditor/Reports/Ubuntu 22.04.ps1 b/ATAPAuditor/Reports/Ubuntu 22.04.ps1 new file mode 100644 index 0000000..c9ec961 --- /dev/null +++ b/ATAPAuditor/Reports/Ubuntu 22.04.ps1 @@ -0,0 +1,19 @@ +[Report] @{ + Title = "Ubuntu 22.04 Report" + ModuleName = "ATAPAuditor" + BasedOn = @( + "CIS Ubuntu Linux 22.04 version 2.0.0" + ) + Sections = @( + [ReportSection] @{ + Title = "CIS Benchmarks" + Description = "This section contains the general benchmark results" + SubSections = @( + [ReportSection] @{ + Title = 'CIS Ubuntu Linux 22.04' + AuditInfos = Test-AuditGroup "Ubuntu Linux 22.04-CIS-2.0.0" + } + ) + } + ) +} diff --git a/ATAPAuditor/Resources/FirefoxPreferences.ps1 b/ATAPAuditor/Resources/FirefoxPreferences.ps1 new file mode 100644 index 0000000..f6e1474 --- /dev/null +++ b/ATAPAuditor/Resources/FirefoxPreferences.ps1 @@ -0,0 +1,134 @@ +function doFirefox { + param ( + [Parameter(Mandatory = $true)] + [string]$path + ) + $currentFirefoxRegKey = Get-ChildItem -Path $path | Select-Object -Last 1 + $installDirRegKey = $currentFirefoxRegKey | Get-ChildItem | Where-Object PSChildName -EQ 'Main' + $InstallationPath = $installDirRegKey | Get-ItemProperty | Select-Object -ExpandProperty 'Install Directory' + + # Calculate Firefox local-settings path + $LocalSettingsPath = "$InstallationPath\defaults\pref\local-settings.js" + + # Calculate Firefox config path + $preferenceConfigFilename = 'mozilla.cfg' + if (Test-Path $LocalSettingsPath) { + foreach ($line in (Get-Content $LocalSettingsPath)) { + if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { + $preferenceConfigFilename = $Matches[1] + } + } + } + $PreferenceConfigPath = "$InstallationPath\$preferenceConfigFilename" + + # Gather lines into lockPref list + # if (-not (Test-Path $LocalSettingsPath) -or + # -not (Test-Path $PreferenceConfigPath)) { + # return $null + # } + + $boolRegex = '(?true|false)' + $numberRegex = '(?\d+)' + $stringRegex = '"(?(\\.|[^`"\\])*)"' + $lineRegex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f $boolRegex, $numberRegex, $stringRegex + + $LockedPreferences = @() + if (Test-Path $PreferenceConfigPath) { + foreach ($line in (Get-Content $PreferenceConfigPath)) { + if ($line -match $lineRegex) { + $value = $null + if ($Matches.Keys -contains "bool") { + $value = [bool]::Parse($Matches["bool"]) + } + elseif ($Matches.Keys -contains "number") { + $value = [int]::Parse($Matches["number"]) + } + elseif ($Matches.Keys -contains "string") { + $value = $Matches["string"] + } + + $LockedPreferences += @{ Name = $Matches[1]; Value = $value } + } + } + } + + return [PSCustomObject] @{ + InstallationPath = $InstallationPath + LocalSettingsPath = $LocalSettingsPath + PreferenceConfigPath = $PreferenceConfigPath + LockedPreferences = $LockedPreferences + } + + + $currentFirefoxRegKey = Get-ChildItem -Path $path | Select-Object -Last 1 + $installDirRegKey = $currentFirefoxRegKey | Get-ChildItem | Where-Object PSChildName -EQ 'Main' + $InstallationPath = $installDirRegKey | Get-ItemProperty | Select-Object -ExpandProperty 'Install Directory' + + # Calculate Firefox local-settings path + $LocalSettingsPath = "$InstallationPath\defaults\pref\local-settings.js" + + # Calculate Firefox config path + $preferenceConfigFilename = 'mozilla.cfg' + if (Test-Path $LocalSettingsPath) { + foreach ($line in (Get-Content $LocalSettingsPath)) { + if ($_ -match "^pref\(`"general\.config\.filename`",\s?`"([\w\-. ]+\.cfg)`"\);") { + $preferenceConfigFilename = $Matches[1] + } + } + } + $PreferenceConfigPath = "$InstallationPath\$preferenceConfigFilename" + + # Gather lines into lockPref list + # if (-not (Test-Path $LocalSettingsPath) -or + # -not (Test-Path $PreferenceConfigPath)) { + # return $null + # } + + $boolRegex = '(?true|false)' + $numberRegex = '(?\d+)' + $stringRegex = '"(?(\\.|[^`"\\])*)"' + $lineRegex = "^lockPref\s*\(\s*`"([\w.-]+)`"\s*,\s*({0}|{1}|{2})\s*\);" -f $boolRegex, $numberRegex, $stringRegex + + $LockedPreferences = @() + if (Test-Path $PreferenceConfigPath) { + foreach ($line in (Get-Content $PreferenceConfigPath)) { + if ($line -match $lineRegex) { + $value = $null + if ($Matches.Keys -contains "bool") { + $value = [bool]::Parse($Matches["bool"]) + } + elseif ($Matches.Keys -contains "number") { + $value = [int]::Parse($Matches["number"]) + } + elseif ($Matches.Keys -contains "string") { + $value = $Matches["string"] + } + + $LockedPreferences += @{ Name = $Matches[1]; Value = $value } + } + } + } + + return [PSCustomObject] @{ + InstallationPath = $InstallationPath + LocalSettingsPath = $LocalSettingsPath + PreferenceConfigPath = $PreferenceConfigPath + LockedPreferences = $LockedPreferences + } +} + +# Calculate Firefox installation path +if (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\') { + $firefoxRegKeyPath = 'HKLM:\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\' + doFirefox -path $firefoxRegKeyPath +}if (Test-Path 'HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\') { + $firefoxRegKeyPath = 'HKLM:\SOFTWARE\Mozilla\Mozilla Firefox\' + doFirefox -path $firefoxRegKeyPath +}else { + return [PSCustomObject] @{ + InstallationPath = "Seems like Firefox is not installed on this system." + LocalSettingsPath = "Seems like Firefox is not installed on this system." + PreferenceConfigPath = "Seems like Firefox is not installed on this system." + LockedPreferences = "Seems like Firefox is not installed on this system." + } +} \ No newline at end of file diff --git a/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 b/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 new file mode 100644 index 0000000..e33d565 --- /dev/null +++ b/ATAPAuditor/Resources/WindowsSecurityPolicy.ps1 @@ -0,0 +1,48 @@ +using module .\..\Helpers\SecurityPolicy.psm1 + +$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) +$isAdministrator = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) + +if(-not $isAdministrator){ + throw "Administrator privileges are required!" +} + +# get a temporary file to save and process the secedit settings +$securityPolicyPath = Join-Path -Path $env:TEMP -ChildPath 'SecurityPolicy.inf' + +# export the secedit settings to this temporary file +Write-Verbose "[WindowsSecurityPolicy] Exporting local security policies from secedit into tempory file: $securityPolicyPath" +secedit.exe /export /cfg $securityPolicyPath | Out-Null + +$config = @{} +switch -regex -file $securityPolicyPath { + "^\[(.+)\]" { # Section + $section = $matches[1] + $config[$section] = @{} + } + "(.+?)\s*=(.*)" { # Key + $name = $matches[1] + $value = $matches[2] -replace "\*" + $config[$section][$name] = $value + } +} + +Write-Verbose "[WindowsSecurityPolicy] Converting identities in 'Privilege Rights' section" +$privilegeRights = @{} +foreach ($key in $config["Privilege Rights"].Keys) { + # Make all accounts SIDs + $accounts = $($config["Privilege Rights"][$key] -split ",").Trim() ` + | ConvertTo-NTAccountUser -Verbose:$VerbosePreference ` + | Where-Object { $null -ne $_ } + $privilegeRights[$key] = $accounts +} +$config["Privilege Rights"] = $privilegeRights + +# sanitize input +$systemAccess = @{} +foreach ($key in $config["System Access"].Keys) { + $systemAccess[$key] = $config["System Access"][$key].Trim() +} +$config["System Access"] = $systemAccess + +return $config \ No newline at end of file diff --git a/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 b/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 new file mode 100644 index 0000000..10c8841 --- /dev/null +++ b/ATAPHtmlReport/ATAPHtmlReport.Tests.ps1 @@ -0,0 +1,91 @@ +<# +BSD 3-Clause License + +Copyright (c) 2023, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +Import-Module "./ATAPHtmlReport" -Force + +class MyAudit { + [string] $Id + [string] $Task + [string] $Status + [string] $Message +} + +Describe "ATAPHtmlReport" { + InModuleScope ATAPHtmlReport { + $testPath = "$PSScriptRoot\testreport.html" + $args = @{ + Path = $testPath + Title = "My Benchmark Report" + ModuleName = "MyAudit" + BasedOn = @( + "My Benchmark v1.0.0 - 10-05-2017" + "My Benchmark 2 v1.0.0 - 10-05-2017" + "My Benchmark 3 v1.0.0 - 10-05-2017" + ) + } + Get-ATAPHtmlReport @args -Sections @( + [PSCustomObject]@{ + Title = "Section 1" + AuditInfos = @( + [MyAudit]@{ Id = "1.1"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.2"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.3"; Task = "Ensure something"; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "1.4"; Task = "Ensure something"; Message = "Not run"; Status = 'None' } + ) + }, + [PSCustomObject]@{ + Title = "Section 2" + SubSections = @( + [PSCustomObject]@{ + Title = " Section 2.1" + AuditInfos = @( + [MyAudit]@{ Id = "2.1.1"; Task = "Ensure something else"; Message = "All Good"; Status = 'Warning' } + [MyAudit]@{ Id = "2.1.2"; Task = "Ensure something entirely different"; Message = "All good"; Status = 'True' } + ) + }, + [PSCustomObject]@{ + Title = "Section 2.2" + AuditInfos = @( + [MyAudit]@{ Id = "2.2.1"; Task = "Ensure something entirely different"; Message = "Something went wrong"; Status = 'False' } + [MyAudit]@{ Id = "2.2.2"; Task = "Text overflow can only happen on block or inline-block level elements, because the element needs to have a width in order to be overflow-ed. The overflow happens in the direction as determined by the direction property or related attributes."; Message = "All Good"; Status = 'True' } + [MyAudit]@{ Id = "2.1.2"; Task = "Ensure something entirely different"; Message = "Not quite good"; Status = 'Warning' } + ) + } + ) + } + ) + + It "Get-ATAPHtmlReport" { + Test-Path $testPath | Should Be $true + } + } +} diff --git a/ATAPHtmlReport/ATAPHtmlReport.psd1 b/ATAPHtmlReport/ATAPHtmlReport.psd1 new file mode 100644 index 0000000..d7e4272 --- /dev/null +++ b/ATAPHtmlReport/ATAPHtmlReport.psd1 @@ -0,0 +1,146 @@ +<# +BSD 3-Clause License + +Copyright (c) 2023, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +@{ + +# Script module or binary module file associated with this manifest. +RootModule = 'ATAPHtmlReport.psm1' + +# Version number of this module. +ModuleVersion = '1.13.5' + +# Supported PSEditions +# CompatiblePSEditions = @() + +# ID used to uniquely identify this module +GUID = 'b732e8cd-6500-4da8-ac96-ab60087c739b' + +# Author of this module +Author = 'Benedikt Böhme, Patrick Helbach, Steffen Winternheimer, Robin Wernz' + +# Company or vendor of this module +CompanyName = 'FB Pro GmbH' + +# Copyright statement for this module +Copyright = '(c) 2023 FB Pro GmbH. All rights reserved.' + +# Description of the functionality provided by this module +Description = 'ATAPHtmlReport serves as the basis for HTML reports generated via ATAPAuditor.' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '5.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = @() + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. +FunctionsToExport = @('Get-ATAPHtmlReport', 'Get-ATAPHostInformation') + +# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. +CmdletsToExport = @() + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. +AliasesToExport = @() + +# DSC resources to export from this module +# DscResourcesToExport = @() + +# List of all modules packaged with this module +# ModuleList = @() + +# List of all files packaged with this module +# FileList = @() + +# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. +PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + Tags = @('reporting', 'auditing', 'benchmarks', 'fb-pro', 'html') + + # A URL to the license for this module. + LicenseUri = 'https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/LICENSE' + + # A URL to the main website for this project. + ProjectUri = 'https://github.com/fbprogmbh/Audit-Test-Automation' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + } # End of PSData hashtable + +} # End of PrivateData hashtable + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} diff --git a/ATAPHtmlReport/ATAPHtmlReport.psm1 b/ATAPHtmlReport/ATAPHtmlReport.psm1 new file mode 100644 index 0000000..b69f49d --- /dev/null +++ b/ATAPHtmlReport/ATAPHtmlReport.psm1 @@ -0,0 +1,2125 @@ +<# +BSD 3-Clause License +Copyright (c) 2023, FB Pro GmbH +All rights reserved. +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +$webIcon = @" + +"@ + +$mailIcon = @" + +"@ + +$phoneIcon = @" + +"@ +<# +icons from https://www.svgrepo.com/ + +#> +enum AuditInfoStatus { + True + False + Warning + None + Error +} + +$ScriptRoot = Split-Path -Parent $PSCommandPath + +$Settings = Import-PowerShellDataFile -Path "$ScriptRoot\Settings.psd1" +$ModuleVersion = (Import-PowerShellDataFile -Path "$ScriptRoot\ATAPHtmlReport.psd1").ModuleVersion + +$StatusValues = 'True', 'False', 'Warning', 'None', 'Error' +$AuditProperties = @{ Name = 'Id' }, @{ Name = 'Task' }, @{ Name = 'Message' }, @{ Name = 'Status' } + +#read in all information needed for Mitre Attack Mapping from json file +$global:CISToAttackMappingData = Get-Content -Raw "$PSScriptRoot\resources\CISToAttackMappingData.json" | ConvertFrom-Json + +function Get-MitreMappingMetaData { + <# + .SYNOPSIS + Returns the specified metadata to the mapping data + .EXAMPLE + Get-MitreMappingMetaData -Get BasedOn + Get-MitreMappingMetaData BasedOn + #> + param( + [Parameter(Mandatory)][ValidateSet('Version', 'BasedOn', 'Compatible')] + [string]$Get + ) + return $CISToAttackMappingData.'MappingMetaData'.$Get +} + +function Get-MitreTacticName { + <# + .SYNOPSIS + Returns the corresponding name for a given Mitre Tactic Id + + .EXAMPLE + Get-MitreTacticName TacticId 'TA0043' + #> + param( + [Parameter(Mandatory = $true)] + [string] + $TacticId + ) + + # $CISToAttackMappingData[AttackTactics][$tacticId] cannot be used because CISToAttackMappingData is a customObject and not a map + return $CISToAttackMappingData.'AttackTactics'.$tacticId +} + +function Get-MitreTactics { + <# + .SYNOPSIS + Returns a List of Mitre Tactic IDs for a given Mitre Technique Id + + .EXAMPLE + Get-MitreTactics -TechniqueID 'T1133' + #> + param( + [Parameter(Mandatory = $true)] + $TechniqueID + ) + return $CISToAttackMappingData.'TechniquesToTactis'.$TechniqueID +} + +function Get-MitreTechniqueName { + <# + .SYNOPSIS + Returns the name of a Mitre technique for a given Mitre Technique Id + + .EXAMPLE + Get-MitreTechniqueName -TechniqueID 'T1133' + #> + param( + [Parameter(Mandatory = $true)] + $TechniqueID + ) + return $CISToAttackMappingData.'AttackTechniques'.$TechniqueID.'name' +} + +function Test-CompatibleMitreReport { + <# + .SYNOPSIS + Returns if the report is compatible with the current mitre heatmap + + .EXAMPLE + Test-CompatibleMitreReport -Title "Windows 10 Report" -os "Win32NT" + #> + param( + [Parameter(Mandatory = $true)] + $Title, + [Parameter(Mandatory = $true)] + $os + ) + if (($Title -eq "Windows 10 Report" -or $Title -eq "Windows 11 Report" -or $Title -eq "Windows Server 2019 Audit Report" -or $Title -eq "Windows Server 2022 Audit Report") -and $os -match "Win32NT") { + return $true + } + else { + return $false + } +} + +function Get-MitreTechniqueCategories { + <# + .SYNOPSIS + Returns the categories of a Mitre technique in order to apply filters to the report. + Will return a string that provides all categories stored in the JSON file. + + .EXAMPLE + Get-MitreTechniqueCategories -TechniqueID 'T1133' + #> + param( + [Parameter(Mandatory = $true)] + $TechniqueID + ) + return $CISToAttackMappingData.'AttackTechniques'.$TechniqueID.'categories' +} + + +class MitreMap { + [System.Collections.Generic.Dictionary[string, [System.Collections.Generic.Dictionary[string, [System.Collections.Generic.Dictionary[string, AuditInfoStatus]]]]]] $Map + + MitreMap() { + $this.Map = @{} + + #read in techniques from json-file + $techniques = $global:CISToAttackMappingData.'AttackTechniques' + $tactics = $global:CISToAttackMappingData.'AttackTactics' + + foreach ($tacitc in $tactics.psobject.properties.name) { + $this.Map[$tacitc] = @{} + } + + #add all techniques and tactics to map + foreach ($technique in $techniques.psobject.properties.name) { + $tactics = Get-MitreTactics -TechniqueID $techniques.$technique.'ID' + foreach ($tactic in $tactics) { + if ($null -eq $this.Map[$tactic][$techniques.$technique.'ID']) { + $this.Map[$tactic][$techniques.$technique.'ID'] = @{} + } + } + } + } + + [void] Add($tactic, $technique, $id, $value) { + if ($tactic -and $technique -and $id -and $null -ne $value -and $tactic.GetType().Name -eq 'String' -and $technique.GetType().Name -eq 'String' -and $id.GetType().Name -eq 'String' -and $value.GetType().Name -eq 'AuditInfoStatus') { + if ($null -eq $this.Map[$tactic]) { + $this.Map[$tactic] = @{} + } + if ($null -eq $this.Map[$tactic][$technique]) { + $this.Map[$tactic][$technique] = @{} + } + $this.Map[$tactic][$technique][$id] = $value + } + else { + if (!$tactic) { + Write-Error -Message 'Could not add value to Map. $tactic is $null or empty' -Category InvalidType + } + elseif (!$technique) { + Write-Error -Message 'Could not add value to Map. $technique is $null or empty' -Category InvalidType + } + elseif (!$id) { + Write-Error -Message 'Could not add value to Map. $id is $null or empty' -Category InvalidType + } + elseif ($null -eq $value) { + Write-Error -Message 'Could not add value to Map. $value is $null' -Category InvalidType + } + else { + Write-Error -Message 'Could not add value to Map' -Category InvalidType + } + } + } + + [void] Print() { + foreach ($tactic in $this.Map.Keys) { + Write-Host "$tactic = " + foreach ($technique in $this.Map[$tactic].Keys) { + Write-Host " $technique = " + foreach ($id in $this.Map[$tactic][$technique].Keys) { + Write-Host " $id = $($this.Map[$tactic][$technique][$id])" + } + } + } + } +} + +function get-MitreLink { + <# + .SYNOPSIS + Creates a url which points to the documentation of mitre for a given tactic or technique + + .PARAMETER id + id of the tactic or technique + + .PARAMETER type + one of 'tactic', 'technique' or 'mitigations' + + .EXAMPLE + get-MitreLink -type technique -id 'T1548' | Should -Be 'https://attack.mitre.org/techniques/T1548/' + #> + + param( + [string] $id, + [Parameter(Mandatory)][ValidateSet('tactics', 'techniques', 'mitigations')] + [string]$type + ) + + $url = 'https://attack.mitre.org/' + $url += "$type/$id/" + return $url +} + +function Join-ATAPReportStatus { + [CmdletBinding()] + [OutputType([string])] + param( + [Parameter(Mandatory = $true)] + [string[]] + $Statuses + ) + + if ($Statuses -contains 'False') { + return 'False' + } + elseif ($Statuses -contains 'Error') { + return 'Warning' + } + elseif ($Statuses -contains 'Warning') { + return 'Warning' + } + elseif ($Statuses -contains 'True') { + return 'True' + } + else { + return 'None' + } +} + +function htmlElement { + param( + [Parameter(Mandatory = $true, Position = 0)] + [string] + $ElementName, + + [Parameter(Mandatory = $true, Position = 1)] + [hashtable] + $Attributes, + + [Parameter(Mandatory = $true, Position = 2)] + [scriptblock] + $Children + ) + + $htmlAttributes = @() + foreach ($attribute in $Attributes.GetEnumerator()) { + $htmlAttributes += '{0}="{1}"' -f $attribute.Name, $attribute.Value + } + + [string[]]$htmlChildren = & $Children + + return '<{0} {1}>{2}' -f $ElementName, ($htmlAttributes -join ' '), ($htmlChildren -join '') +} + +function Get-SectionStatus { + param( + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [Alias('AuditInfos')] + [array] + $ConfigAudits, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections + ) + + process { + $allStatuses = @() + if ($null -ne $ConfigAudits) { + $allStatuses += $ConfigAudits.Status + } + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $allStatuses += $subsection | Get-SectionStatus + } + } + return Join-ATAPReportStatus $allStatuses + } +} + +function Get-HtmlClassFromStatus { + param( + [Parameter(Mandatory = $true)] + [string] + $Status + ) + + process { + switch ($Status) { + 'True' { 'passed' } + 'False' { 'failed' } + 'Warning' { 'warning' } + 'None' { 'none' } + 'Error' { 'error' } + Default { "" } + } + } +} + +function Convert-SectionTitleToHtmlId { + param( + [Parameter(Mandatory = $true)] + [string] $Title + ) + + $charMap = { + switch ($_) { + ' ' { "-" } + '-' { "--" } + Default { $_ } + } + } + + return ([char[]]$Title | ForEach-Object $charMap) -join '' +} + +function CreateToc { + param( + [Parameter(Mandatory = $true)] + $title + ) + htmlElement 'li' @{} { + htmlElement 'a' @{ href = "#$($title)" } { "$($title)" } + } +} + + + +function CreateHashTable { + htmlElement 'div'@{id = "hashTableDiv" } { + htmlElement 'h2' @{style = "margin-top: 0;" } { "Overall integrity" } + htmlElement 'p' @{} { "This table outlines integrity checksums for each hardening recommendation. This allows for a quick comparison between reports by simply comparing provided hash values." } + htmlElement 'table'@{ id = "hashTable" } { + htmlElement 'thead' @{} { + htmlElement 'tr' @{} { + htmlElement 'th' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse; background-color: var(--color-dark-gray);" } { "Integrity Check for following scopes" } + htmlElement 'th' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse; background-color: var(--color-dark-gray);" } { "Checksum (SHA-256)" } + } + } + htmlElement 'tbody' @{id = "hashTableBody" } { + htmlElement 'tr' @{} { + #Scope + htmlElement 'td' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse;vertical-align: middle; " } { "Overall integrity check" } + #Checksum + htmlElement 'td' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse; " } { + htmlElement 'p' @{style = "padding-right: 20px;" } { "$($hashtable_sha256.Get_Item($Title))" } + } + } + + # $index = 0 + # $trColorSwitch = 0 + # foreach ($section in $Sections) { + # if ($trColorSwitch -eq 0) { + # htmlElement 'tr' @{style = "border: 1px solid #d2d2d2; border-collapse: collapse; background-color: #efefef;" } { + # #Scope + # htmlElement 'td' @{style = "border: 1px solid #d2d2d2; border-collapse:; vertical-align: middle; " } { "$($section.Title)" } + # #Checksum + # htmlElement 'td' @{style = "border: 1px solid #d2d2d2; border-collapse: collapse; " } { + # htmlElement 'p' @{style = "padding-right: 20px;" } { "$($hashtable_sha256.Get_Item($section.Title))" } + # } + # } + # $trColorSwitch = 1 + # } + # else { + # htmlElement 'tr' @{style = "border: 1px solid #d2d2d2; border-collapse: collapse;" } { + # #Scope + # htmlElement 'td' @{style = "border: 1px solid #d2d2d2; border-collapse:; vertical-align: middle; " } { "$($section.Title)" } + # #Checksum + # htmlElement 'td' @{style = "border: 1px solid #d2d2d2; border-collapse: collapse; " } { + # htmlElement 'p' @{style = "padding-right: 20px;" } { "$($hashtable_sha256.Get_Item($section.Title))" } + # } + # } + # $trColorSwitch = 0 + # } + # $index += 1 + # } + + $index = 0 + foreach ($section in $Sections) { + $trColorSwitch += 1 + $background = "" + if ($index%2 -eq 0) { + $background = "background-color: var(--color-light-gray);" + }else{ + $background = "" + } + htmlElement 'tr' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse;$($background)" } { + #Scope + htmlElement 'td' @{style = "border: 1px solid var(--color-dark-gray); border-collapse:; vertical-align: middle; " } { "$($section.Title)" } + #Checksum + htmlElement 'td' @{style = "border: 1px solid var(--color-dark-gray); border-collapse: collapse; " } { + htmlElement 'p' @{style = "padding-right: 20px;" } { "$($hashtable_sha256.Get_Item($section.Title))" } + } + } + $index += 1 + } + } + } + } +} + +function CreateReportContent { + param( + [Parameter(Mandatory = $true)] + $tests, + [Parameter(Mandatory = $true)] + $title + ) + $amountOfFailedTests = 0 + foreach ($test in $tests) { + if ($test.Status -eq 'False') { + $amountOfFailedTests ++ + } + } + #if at least one test is failed + if ($amountOfFailedTests -gt 0) { + htmlElement 'h2' @{ id = "$($title)"; class = "severityResultFalse" } { "$($title)" } + } + else { + htmlElement 'h2' @{ id = "$($title)"; class = "severityResultTrue" } { "$($title)" } + } + htmlElement 'table' @{class = 'audit-info'; style = 'margin-bottom: 50px; margin-top: 20px;' } { + htmlElement 'tbody' @{} { + htmlElement 'tr' @{} { + htmlElement 'th' @{} { "Id" } + htmlElement 'th' @{} { "Task" } + htmlElement 'th' @{} { "Message" } + htmlElement 'th' @{} { "Status" } + } + foreach ($test in $tests) { + htmlElement 'tr' @{} { + htmlElement 'td' @{} { "$($test.Id)" } + htmlElement 'td' @{} { "$($test.Task)" } + htmlElement 'td' @{} { "$($test.Message)" } + htmlElement 'td' @{} { + if ($test.Status -eq 'False') { + htmlElement 'span' @{class = "severityResultFalse" } { + "$($test.Status)" + } + } + elseif ($test.Status -eq 'True') { + htmlElement 'span' @{class = "severityResultTrue" } { + "$($test.Status)" + } + } + elseif ($test.Status -eq 'None') { + htmlElement 'span' @{class = "severityResultNone" } { + "$($test.Status)" + } + } + elseif ($test.Status -eq 'Warning') { + htmlElement 'span' @{class = "severityResultWarning" } { + "$($test.Status)" + } + } + elseif ($test.Status -eq 'Error') { + htmlElement 'span' @{class = "severityResultError" } { + "$($test.Status)" + } + } + } + } + } + } + } +} + + +function Get-HtmlTableRow { + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $Audit + ) + + process { + # $properties = $Audit | Get-Member -MemberType Property + + htmlElement 'tr' @{} { + foreach ($property in $AuditProperties) { + $value = $Audit | Select-Object -ExpandProperty $property.Name + if ($Property.Name -eq 'Status') { + $class = Get-HtmlClassFromStatus $Audit.Status + $value = htmlElement 'span' @{ class = "auditstatus $class" } { $value } + } + htmlElement 'td' @{} { $value } + } + } + } +} + +function Get-HtmlToc { + param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections, + + [string] + $Prefix = '' + ) + + process { + $id = Convert-SectionTitleToHtmlId -Title ($Prefix + $Title) + htmlElement 'li' @{} { + htmlElement 'a' @{ href = "#$id" } { $Title } + if ($null -ne $Subsections) { + htmlElement 'ul' @{} { + foreach ($subsection in $Subsections) { + $subsection | Get-HtmlToc -Prefix ($Prefix + $Title) + } + } + } + } + } +} + +function Merge-CisAuditsToMitreMap { + <# + .Synopsis + Merges the stati of multiple AuditInfos into a 2 dimensional map which can be indexd by the corresponding Mitre tactics an techniques. + This allows to simply find out how many Audits where succesfull for a given Mitre technique. + The result is a MitreMap Object. + + .PARAMETER Audit + An AuditTest Object containing the Audit results. Multiple can be passed from a pipeline + + .EXAMPLE + $mitreMap = $Sections | + Where-Object { $_.Title -eq "CIS Benchmarks" } | + ForEach-Object { return $_.SubSections } | + ForEach-Object { return $_.AuditInfos } | + Merge-CisAuditsToMitreMap + $mitreMap.Print() + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $Audit + ) + Begin { + $json = $global:CISToAttackMappingData.'CISAttackMapping' + $mitreMap = [MitreMap]::new() + } + + Process { + $id = $Audit.Id + $technique1 = $json.$id.'Technique1' + $technique2 = $json.$id.'Technique2' + + if ($technique1) { + foreach ($tactic in Get-MitreTactics -TechniqueID $technique1) { + if ($tactic) { + $mitreMap.Add($tactic, $technique1, $id, $Audit.Status) + } + } + } + + if ($technique2) { + foreach ($tactic in Get-MitreTactics -TechniqueID $technique2) { + if ($tactic) { + $mitreMap.Add($tactic, $technique2, $id, $Audit.Status) + } + } + } + } + + End { + return [MitreMap] $mitreMap + } +} + +function Get-MitigationsFromFailedTests { + <# + .Synopsis + Returns a map with a array with all Techniques which had a failed test and the Mitigation. + + .PARAMETER Mappings + Is a mitre Mapping from Get-MitigationsFromFailedTests + + .EXAMPLE + $CISAMitigations = $Mappings.Map | Get-MitigationsFromFailedTests + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $Mappings + ) + Begin { + $json = $global:CISToAttackMappingData.'CISAttackMapping' + #mapping with Mitigation IDs as keys + #array with all techniques where the mititgation is in the cisa paper and a tests failed + #mitigation from the cisa paper + $CISAMitigationsFromPaper = [ordered]@{ + 'M1017' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear-phishing and social engineering.' + } + 'M1018' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Manage the creation, modification, use, and permissions associated to user accounts.' + } + 'M1021' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Restrict or block certain websites.' + } + 'M1027' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Set and enforce secure password policies for accounts.' + } + 'M1028' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.' + } + 'M1030' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to sensitive systems and information.' + } + 'M1031' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Configure Network Intrusion Prevention systems to block malicious file signatures and file types at the network boundary.' + } + 'M1038' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Block execution of code on a system.' + } + 'M1041' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Use strong encryption mechanisms to protect sensitive data.' + } + 'M1042' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.' + } + 'M1057' = @{ + 'MitreTechniqueIDs' = @() + 'Mitigation' = 'Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personally identifiable information (PII), and restrict exfiltration of sensitive data.' + } + } + $CISAMitigations = @() + $KeysToRemove = @() + } + + Process { + foreach ($tactic in $Mappings.Keys) { + foreach ($technique in $Mappings[$tactic].Keys) { + $Mappings[$tactic][$technique].Keys | + #checks for each technique if there is a failed test + Where-Object { $Mappings[$tactic][$technique][$_] -eq [AuditInfoStatus]::False } | + ForEach-Object { + #if the mitigation from the failed test is in ihe mitigation from the cisa paper + if ($null -ne $json.$_.'Mitigation1' -and $CISAMitigationsFromPaper.Keys -contains $json.$_.'Mitigation1') { + #put the technique in the mapping (no doubles) + if ($CISAMitigationsFromPaper[$json.$_.'Mitigation1']['MitreTechniqueIDs'] -notcontains $technique) { + $CISAMitigationsFromPaper[$json.$_.'Mitigation1']['MitreTechniqueIDs'] += $technique + } + #put the mitigation in a separate array (no doubles) + if ($CISAMitigations -notcontains $json.$_.'Mitigation1') { + $CISAMitigations += $json.$_.'Mitigation1' + } + } + #if the mitigation from the failed test is in ihe mitigation from the cisa paper + if ($null -ne $json.$_.'Mitigation2' -and $CISAMitigationsFromPaper.Keys -contains $json.$_.'Mitigation2') { + #put the technique in the mapping (no doubles) + if ($CISAMitigationsFromPaper[$json.$_.'Mitigation2']['MitreTechniqueIDs'] -notcontains $technique) { + $CISAMitigationsFromPaper[$json.$_.'Mitigation2']['MitreTechniqueIDs'] += $technique + } + #put the mitigation in a separate array (no doubles) + if ($CISAMitigations -notcontains $json.$_.'Mitigation2') { + $CISAMitigations += $json.$_.'Mitigation2' + } + } + } + } + } + #write keys which where not in the sperat mitigation array in $KeysToRemove beacause you can't delete in a foreach over the object you want to delete from + $CISAMitigationsFromPaper.Keys | Where-Object { $CISAMitigations -notcontains $_ } | ForEach-Object { $KeysToRemove += $_ } + #delete the keys from $CISAMitigation from paper which were not in the sperate mitigation array + $KeysToRemove | ForEach-Object { $CISAMitigationsFromPaper.Remove($_) } + } + End { + return $CISAMitigationsFromPaper + } +} + +function ConvertTo-HtmlTable { + <# + .Synopsis + Generates a html table using the mapping keys of the tactics and techniques + It also adds the links to the table using the function "get-MitreLink" + and colours the cells + .Example + ConvertTo-HtmlTable $Mappings.map + + #> + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $Mappings + ) + + htmlElement 'table' @{id = 'MITRETable' } { + htmlElement 'thead' @{id = 'MITREthead' } { + htmlElement 'tr' @{} { + foreach ($tactic in $Mappings.Keys) { + $url = get-MitreLink -type tactics -id $tactic + $TacticCount = Get-TacticCounter $tactic $Mappings + htmlElement 'td' @{} { + $tacticName = Get-MitreTacticName -TacticId $tactic + $link = htmlElement 'a' @{href = $url; target = "blank" } { "$tacticName" } + htmlElement 'p' @{} { $link + "`n" + "$TacticCount/" + $Mappings[$tactic].Count } + } + } + } + } + htmlElement 'tbody' @{id = 'MITREtbody' } { + htmlElement 'tr' @{} { + foreach ($tactic in $Mappings.Keys) { + htmlElement 'td' @{} { + foreach ($technique in $Mappings[$tactic].Keys) { + $successCounter = 0 + foreach ($id in $Mappings[$tactic][$technique].Keys) { + if ($Mappings[$tactic][$technique][$id] -eq [AuditInfoStatus]::True) { + $successCounter++ + } + } + $url = get-MitreLink -type techniques -id $technique + $color = Get-ColorValue $successCounter $Mappings[$tactic][$technique].Count + $categories = Get-MitreTechniqueCategories -TechniqueID $technique + htmlElement 'div' @{class = "MITRETechnique $categories"; style = "background-color: $color; background-clip: border-box" } { + htmlElement 'a' @{href = $url; target = "_blank"; class = "tooltip" } { "$technique" + htmlElement 'span' @{class = "tooltiptext" } { Get-MitreTechniqueName -TechniqueID $technique } + } + htmlElement 'span' @{} { ": $successCounter/" + $Mappings[$tactic][$technique].Count } + } + } + } + } + } + } + } +} + +function ConvertTo-HtmlCISA { + <# + .Synopsis + Generates a html table using the CISA Mitigation, Mitre Mitigation id and failed techniques + .Example + ConvertTo-HtmlCISA $CISAMitigations + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + $CISAMitigations + ) + #create CISA table + htmlElement 'table' @{id = 'CISATable' } { + #create table head with the column CISA Mitigation, MITRE Mitigation ID, MITRE Technique IDs + htmlElement 'thead' @{id = 'CISAthead' } { + htmlElement 'tr' @{} { + htmlElement 'th' @{class = 'CISAMitigationIDs' } { + 'ID' + } + htmlElement 'th' @{class = 'CISAMitigations' } { + 'Mitigation Description' + } + htmlElement 'th' @{class = 'CISAMitreTechniqueIDs' } { + 'caused Audit failures' + } + } + } + #fill the columns with the information from the $CISAMitigation map + htmlElement 'tbody' @{id = 'CISAtbody' } { + $KeyOrder = $CISAMitigations.GetEnumerator() | Sort-Object { $_.Value.MitreTechniqueIDs.Count } -Descending + $KeyOrder | ForEach-Object { + htmlElement 'tr' @{} { + htmlElement 'td' @{class = 'CISAMitigationIDs' } { + htmlElement 'a' @{href = $(get-MitreLink -type mitigations -id $_.Key); target = "_blank" } { + $_.Key + } + } + htmlElement 'td' @{class = 'CISAMitigations' } { + htmlElement 'a' @{} { + $CISAMitigations[$_.Key]['Mitigation'] + } + } + htmlElement 'td' @{class = 'CISAMitreTechniqueIDs' } { + $mitigationsList = $CISAMitigations[$_.Key]['MitreTechniqueIDs'] + for ($i = 0; $i -lt $mitigationsList.Length; $i++) { + htmlElement 'a' @{href = $(get-MitreLink -type techniques -id $mitigationsList[$i]); target = "_blank" } { + $mitigationsList[$i] + } + } + } + } + } + } + } +} + +function Get-ColorValue { + <# + .Synopsis + Compares two Integer variables returns true if equal, false if not + .Example + $colorValue = Get-ColorValue $successCounter $Mappings[$tactic][$technique].Count + #> + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [int]$FirstValue, + + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [int]$SecondValue + ) + + if ($SecondValue -eq 0) { + $result = '#a7a7a7' + } + else { + $successPercentage = ($FirstValue / $SecondValue) + + switch ($successPercentage) { + 1 { $result = '#33cca6' } + { $_ -le 0.99 } { $result = '#52CC8F' } + { $_ -le 0.89 } { $result = '#70CC78' } + { $_ -le 0.79 } { $result = '#8FCC61' } + { $_ -le 0.69 } { $result = '#ADCC4A' } + { $_ -le 0.59 } { $result = '#CCCC33' } + { $_ -le 0.49 } { $result = '#CCA329' } + { $_ -le 0.39 } { $result = '#CC7A1F' } + { $_ -le 0.29 } { $result = '#CC5214' } + { $_ -le 0.19 } { $result = '#CC290A' } + { $_ -le 0.09 } { $result = '#cc0000' } + } + } + + return $result +} + +function Get-TacticCounter { + <# + .Synopsis + Counts the amount of successful techniques per tactic + .Example + $TacticCounter = Get-TacticCounter $tactic $Mappings + #> + param ( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [object]$tactic, + + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [object]$Mappings + ) + $TacticCount = 0 + foreach ($technique in $Mappings[$tactic].Keys) { + $successCounter = 0 + foreach ($id in $Mappings[$tactic][$technique].Keys) { + if ($Mappings[$tactic][$technique][$id] -eq [AuditInfoStatus]::True) { + $successCounter++ + } + if ($successCounter -eq $Mappings[$tactic][$technique].Count -And $successCounter -gt 0) { + $TacticCount++ + } + } + } + return $TacticCount +} + +#in the current state the function checks the cis version used for the mapping and used in the Save-ATAPHtmlReport +#but the versions don't match so the function prints the status in the HTML but doesn't block Merge-CisAuditsToMitreMap +function Compare-EqualCISVersions { + <# + .Synopsis + Returns a boolean, if the $ReportBasedOn and $MitreMappingCompatible Versions can be used together or not. + .Parameter $Title + The Title of the Report + .Parameter $ReportBasedOn + The BasedOn information from the report + .Parameter $MitreMappingCompatible + The Compatible CIS versions of the mitre mapping + .Example + Compare-EqualCISVersions -Title:$Title -ReportBasedOn:$ReportBasedOn -MitreMappingCompatible:$MitreMappingCompatible + #> + + param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string[]] + $ReportBasedOn, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string[]] + $MitreMappingCompatible + ) + $os = [System.Environment]::OSVersion.Platform + + if (Test-CompatibleMitreReport -Title $Title -os $os) { + $ReportBasedOn = $ReportBasedOn | Where-Object { $_ -match 'CIS' } + return $($null -ne $ReportBasedOn -and $null -ne $MitreMappingCompatible -and $($ReportBasedOn -in $MitreMappingCompatible)) + } + return $false +} + +function Get-HtmlReportSection { + param( + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [string] + $Description, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [alias('AuditInfos')] + [array] + $ConfigAudits, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [alias('Sections')] + [array] + $Subsections, + + [Parameter(Mandatory = $false)] + [string] + $Prefix + ) + + process { + $id = Convert-SectionTitleToHtmlId -Title ($Prefix + $Title) + $sectionStatus = Get-SectionStatus -ConfigAudits $ConfigAudits -Subsections $Subsections + $class = Get-HtmlClassFromStatus $sectionStatus + htmlElement 'section' @{} { + htmlElement 'h1' @{ id = $id } { + + + htmlElement 'span' @{ class = $class } { $Title } + htmlElement 'span' @{ class = 'sectionAction collapseButton' } { '-' } + htmlElement 'a' @{ href = '#toc'; class = 'sectionAction' } { + htmlElement 'span' @{ style = "font-size: 75%;" } { '↑' } + } + } + + if ($null -ne $Description) { + htmlElement 'p' @{} { $Description } + } + if ($null -ne $ConfigAudits) { + htmlElement 'table' @{ class = 'audit-info' } { + htmlElement 'tbody' @{} { + htmlElement 'tr' @{} { + foreach ($columnName in $AuditProperties.Name) { + htmlElement 'th' @{} { $columnName } + } + } + foreach ($configAudit in $ConfigAudits) { + $configAudit | Get-HtmlTableRow + } + } + } + } + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $subsection | Get-HtmlReportSection -Prefix ($Prefix + $Title) + } + } + } + } +} + +function Get-ATAPHostInformation { + $unixOS = [System.Environment]::OSVersion.Platform -eq 'Unix' # returns 'Unix' on Linux and MacOS and 'Win32NT' on Windows, PS v6+ has builtin environment variable for this + if ($unixOS) { + return @{ + "Hostname" = hostname + "Operating System" = (Get-Content /etc/os-release | Select-String -Pattern '^PRETTY_NAME=\"(.*)\"$').Matches.Groups[1].Value + "Installation Language" = (($(locale) | Where-Object { $_ -match "LANG=" }) -split '=')[1] + "Kernel Version" = uname -r + "Free physical memory" = "{0:N1} GB" -f (( -split (Get-Content /proc/meminfo | Where-Object { $_ -match 'MemFree:' }))[1] / 1MB) + "Free disk space" = "{0:N1} GB" -f ((Get-PSDrive | Where-Object { $_.Name -eq '/' }).Free / 1GB) + "System Uptime" = Get-Uptime -p + "OS Architecture" = lscpu | awk '/Architecture/ {print $2}' + "System Manufacturer" = (dmidecode -t system)[6] | cut -d ':' -f 2 | xargs + "System SKU" = (dmidecode -t system)[12] | cut -d ':' -f 2 | xargs + "System Serialnumber" = (dmidecode -t system)[9] | cut -d ':' -f 2 | xargs + "BIOS Version" = dmidecode -s bios-version + } + } +} + +function Get-CompletionStatus { + param( + [string[]] + $Statuses, + + [array]$Sections + ) + + $totalCount = $Statuses.Count + $status = @{ + TotalCount = $totalCount + } + + #Total completion status + foreach ($value in $StatusValues) { + $count = ($Statuses | Where-Object { $_ -eq $value }).Count + $status[$value] = @{ + Count = $count + Percent = (100 * ($count / $totalCount)).ToString("0.00", [cultureinfo]::InvariantCulture) + } + } + + #Section Total Count + $sectionTotalCountHash = @{} + foreach ($section in $Sections) { + $sectionResult = $section | Select-ConfigAudit | Select-Object -ExpandProperty 'Status' + $totalSectionCount = 0 + foreach ($value in $StatusValues) { + $count = ($sectionResult | Where-Object { $_ -eq $value }).Count + $totalSectionCount += $count + } + $sectionTotalCountHash.Add($section.Title, $totalSectionCount) + } + #Counts the completion status for each section and each value. Also calculates the percentage. + $sectionCountHash = @{} + foreach ($section in $Sections) { + $sectionResult = $section | Select-ConfigAudit | Select-Object -ExpandProperty 'Status' + foreach ($value in $StatusValues) { + $count = ($sectionResult | Where-Object { $_ -eq $value }).Count + $sectionCountHash.Add($section.Title + $value + "Count", $count) + $percent = (100 * ($count / $sectionTotalCountHash[$section.Title])).ToString("0.00", [cultureinfo]::InvariantCulture) + $sectionCountHash.Add($section.Title + $value + "Percent", $percent) + } + } + return $status, $sectionTotalCountHash, $sectionCountHash +} + +function Get-OverallComplianceCSS { + [CmdletBinding()] + [OutputType([string])] + param( + $completionStatus + ) + + $css = "" + $percent = $completionStatus['True'].Percent / 1 + + if ($percent -gt 50) { + $degree = 180 + ((($percent - 50) / 1) * 3.6) + $css += ".donut-chart.chart .slice.one {clip: rect(0 200px 100px 0); -webkit-transform: rotate(90deg); transform: rotate(90deg);}" + $css += ".donut-chart.chart .slice.two {clip: rect(0 100px 200px 0); -webkit-transform: rotate($($degree)deg); transform: rotate($($degree)deg);}" + } + else { + $degree = 90 + ($percent * 3.6) + $css += ".donut-chart.chart .slice.one {clip: rect(0 200px 100px 0); -webkit-transform: rotate($($degree)deg); transform: rotate($($degree)deg);}" + $css += ".donut-chart.chart .slice.two {clip: rect(0 100px 200px 0); -webkit-transform: rotate(0deg); transform: rotate(0deg);}" + } + + $css += ".donut-chart.chart .chart-center span:after {content: `"$percent %`";}" + + return $css +} + +function Select-ConfigAudit { + param( + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [Alias('AuditInfos')] + [array] + $ConfigAudits, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Subsections + ) + + process { + $results = @() + if ($null -ne $ConfigAudits) { + $results += $ConfigAudits + } + if ($null -ne $Subsections) { + foreach ($subsection in $Subsections) { + $results += $subsection | Select-ConfigAudit + } + } + return $results + } +} + +function Get-ATAPHtmlReport { + <# + .Synopsis + Generates an audit report in an html file. + .Description + The `Get-ATAPHtmlReport` cmdlet collects data from the current machine to generate an audit report. + .Parameter Path + Specifies the relative path to the file in which the report will be stored. + .Example + C:\PS> Get-ATAPHtmlReport -Path "MyReport.html" + #> + + [CmdletBinding()] + [OutputType([string])] + param( + [Parameter(Mandatory = $true)] + [string] + $Path, + + [Parameter(Mandatory = $false)] + [hashtable] + $HostInformation = (Get-ATAPHostInformation), + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $Title, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $ModuleName, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string] + $AuditorVersion, + + [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] + [string[]] + $BasedOn, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [array] + $Sections, + + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [string] + $LicenseStatus, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [RSFullReport[]] + $RSReport, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [FoundationReport] + $FoundationReport, + + [Parameter(Mandatory = $false)] + [switch] $RiskScore, + + [Parameter(Mandatory = $false)] + [switch] $MITRE, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [hashtable] + $hashtable_sha256, + + [switch] $ComplianceStatus, + + [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true)] + [SystemInformation] + $SystemInformation + ) + + process { + Write-Progress -Activity "Creating HTML report head" -Status "Progress:" -PercentComplete 0 + $allConfigResults = foreach ($section in $Sections) { $section | Select-ConfigAudit | Select-Object -ExpandProperty 'Status' } + $completionStatus, $sectionTotalCountHash, $sectionCountHash = Get-CompletionStatus -Statuses $allConfigResults -sections $Sections + + # HTML markup + + $head = htmlElement 'head' @{} { + htmlElement 'meta' @{ charset = 'UTF-8' } { } + htmlElement 'meta' @{ name = 'viewport'; content = 'width=device-width, initial-scale=1.0' } { } + htmlElement 'meta' @{ 'http-equiv' = 'X-UA-Compatible'; content = 'ie=edge' } { } + htmlElement 'title' @{} { "$Title [$(Get-Date)]" } + htmlElement 'style' @{} { + $cssPath = $ScriptRoot | Join-path -ChildPath "/report.css" + Get-Content $cssPath + Get-OverallComplianceCSS $completionStatus + } + htmlElement 'script' @{} { + $jsPath = $ScriptRoot | Join-path -ChildPath "/report.js" + Get-Content $jsPath + } + } + #Handles Release Date from Releases; Compares Release with this ATAP Version + Write-Progress -Activity "Creating HTML report body" -Status "Progress:" -PercentComplete 13 + $body = htmlElement 'body' @{onload = "startConditions()" } { + # Header + htmlElement 'div' @{ class = 'header content' } { + htmlElement 'div' @{ id = "logo" } { + htmlElement 'a' @{id = "companyLink"; href = "https://www.fb-pro.com/"; target = "_blank" } { + htmlElement 'h1' @{id = "companyName" } { "FB PRO GMBH" } + htmlElement 'p' @{id = "companySlogan" } { "System Hardening & Secure Configuration" } + } + } + htmlElement 'div' @{ id = "reportInformation" } { + htmlElement 'h1' @{} { $Title } + $datum = "{0:d}. {1} {2} {3:D2}:{4:D2}" -f (Get-Date).Day, (Get-Date).ToString("MMMM"), (Get-Date).Year, (Get-Date).Hour, (Get-Date).Minute + htmlElement 'div' @{} { "Generated on $($datum)" } + } + } + # Main section + htmlElement 'div' @{ class = 'main content' } { + htmlElement 'div' @{ class = 'host-information' } { + # Show compliance status + if ($ComplianceStatus) { + $sliceColorClass = Get-HtmlClassFromStatus 'True' + htmlElement 'div' @{ class = 'card' } { + htmlElement 'h2' @{} { 'Compliance status' } + htmlElement 'div' @{ class = 'donut-chart chart' } { + htmlElement 'div' @{ class = "slice one $sliceColorClass" } { } + htmlElement 'div' @{ class = "slice two $sliceColorClass" } { } + htmlElement 'div' @{ class = 'chart-center' } { htmlElement 'span' @{} { } } + } + } + } + + $os = [System.Environment]::OSVersion.Platform + + ### Risk Checks ### + if ($RiskScore) { + # Quantity + $TotalAmountOfRules = $completionStatus.TotalCount; + $AmountOfCompliantRules = 0; + $AmountOfNonCompliantRules = 0; + $None_Rules = 0; + foreach ($value in $StatusValues) { + if ($value -eq 'True') { + $AmountOfCompliantRules = $completionStatus[$value].Count + } + #exclude Rules, which are set to None, to make an independent calculation between Compliant and non Compliant + if ($value -eq 'None') { + $None_Rules = $completionStatus[$value].Count + } + if ($value -eq 'False') { + $AmountOfNonCompliantRules = $completionStatus[$value].Count + } + } + $TotalAmountOfRules = $TotalAmountOfRules - $None_Rules + if ($os -match "Win32NT" -and $Title -match "Win") { + # percentage of compliance quantity + $QuantityCompliance = [math]::round(($AmountOfCompliantRules / $TotalAmountOfRules) * 100, 2); + # Variables, which will be evaluated in report.js + htmlElement 'div' @{id = "AmountOfNonCompliantRules"; hidden="hidden"} { "$($AmountOfNonCompliantRules)" } + htmlElement 'div' @{id = "AmountOfCompliantRules"; hidden="hidden"} { "$($AmountOfCompliantRules)" } + htmlElement 'div' @{id = "TotalAmountOfRules"; hidden="hidden"} { "$($TotalAmountOfRules)" } + htmlElement 'div' @{id = "QuantityCompliance"; hidden="hidden"} { "$($QuantityCompliance)" } + + # Severity + htmlElement 'div' @{id = "TotalAmountOfSeverityRules"; hidden="hidden"} { "$($RSReport.RSSeverityReport.AuditInfos.Length)" } + $AmountOfFailedSeverityRules = 0; + foreach ($rule in $RSReport.RSSeverityReport.AuditInfos) { + if ($rule.Status -eq "False") { + $AmountOfFailedSeverityRules ++; + } + } + htmlElement 'div' @{id = "AmountOfFailedSeverityRules"; hidden="hidden"} { "$($AmountOfFailedSeverityRules)" } + } + } + + htmlElement 'div' @{id = 'navigationButtons' } { + htmlElement 'button' @{type = 'button'; class = 'navButton selectedNavButton'; id = 'summaryBtn'; onclick = "clickButton('1')" } { "Benchmark Compliance" } + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'foundationDataBtn'; onclick = "clickButton('5')" } { "Security Base Data" } + if ($RiskScore -and ($os -match "Win32NT" -and $Title -match "Win")) { + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'riskScoreBtn'; onclick = "clickButton('2')" } { "Risk Score" } + } + if ($MITRE) { + if (Test-CompatibleMitreReport -Title $Title -os $os) { + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'MITREBtn'; onclick = "clickButton('6')" } { "MITRE ATT&CK" } + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'CISABtn'; onclick = "clickButton('7')" } { "CISA Recommendations" } + } + } + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'settingsOverviewBtn'; onclick = "clickButton('4')" } { "Hardening Settings" } + htmlElement 'button' @{type = 'button'; class = 'navButton'; id = 'referenceBtn'; onclick = "clickButton('3')" } { "About Us" } + } + + Write-Progress -Activity "Creating settings overview page" -Status "Progress:" -PercentComplete 25 + htmlElement 'div' @{class = 'tabContent'; id = 'settingsOverview'; style = 'display:none' } { + # Table of Contents + htmlElement 'h1' @{ id = 'toc' } { 'Hardening Settings' } + CreateHashTable + htmlElement 'h2' @{} { "Table Of Contents" } + htmlElement 'p' @{} { 'Click the link(s) below for quick access to a report section.' } + htmlElement 'ul' @{} { + foreach ($section in $Sections) { $section | Get-HtmlToc } + } + htmlElement 'h2' @{} { "Benchmark Details" } + + # Report Sections for hardening settings + foreach ($section in $Sections) { + $section | Get-HtmlReportSection + } + } + + Write-Progress -Activity "Creating summary page" -Status "Progress:" -PercentComplete 38 + #This div hides/reveals the whole summary section + htmlElement 'div' @{class = 'tabContent'; id = 'summary' } { + # Host information + htmlElement 'h1' @{} { 'Benchmark Compliance' } + htmlElement 'div' @{style = "float: left;" } { + htmlElement 'p' @{} { + "Modules:" + htmlElement 'ul' @{} { + htmlElement 'div' @{} { "ATAPAuditor version $AuditorVersion" } + htmlElement 'div' @{} { "ATAPHtmlReport version $ModuleVersion" } + } + } + htmlElement 'p' @{} { + "Test baseline:" + htmlElement 'ul' @{} { + foreach ($item in $BasedOn) { + htmlElement 'li' @{} { $item } + } + } + htmlElement 'div' @{} { + "Does your system show low benchmark compliance? Check out our hardening solutions." + } + } + } + htmlElement 'div' @{id = 'riskMatrixSummaryArea' } { + if ($RiskScore -and ($os -match "Win32NT" -and $Title -match "Win")) { + htmlElement 'h2' @{id = 'CurrentRiskScore' } { "Current Risk Score of tested System: " } + htmlElement 'h3' @{} { 'For further information, please head to the tab "Risk Score".' } + htmlElement 'div' @{id = 'riskMatrixSummary' } { + htmlElement 'div' @{id = 'dotSummaryTab'; style = 'display:none'} {} + htmlElement 'div' @{id = 'severity' } { + htmlElement 'p' @{id = 'severityArea' } { 'Severity' } + } + htmlElement 'div' @{id = 'quantity' } { + htmlElement 'p' @{id = 'quantityArea' } { 'Quantity' } + } + htmlElement 'div' @{id = 'severityCritical' } { "Critical" } + htmlElement 'div' @{id = 'severityHigh' } { "High" } + htmlElement 'div' @{id = 'severityMedium' } { "Medium" } + htmlElement 'div' @{id = 'severityLow' } { "Low" } + + htmlElement 'div' @{id = 'quantityCritical' } { "Critical" } + htmlElement 'div' @{id = 'quantityHigh' } { "High" } + htmlElement 'div' @{id = 'quantityMedium' } { "Medium" } + htmlElement 'div' @{id = 'quantityLow' } { "Low" } + + #colored areas + htmlElement 'div' @{id = 'critical_low' } {} + htmlElement 'div' @{id = 'high_low' } {} + htmlElement 'div' @{id = 'medium_low' } {} + htmlElement 'div' @{id = 'low_low' } {} + + htmlElement 'div' @{id = 'critical_medium' } {} + htmlElement 'div' @{id = 'high_medium' } {} + htmlElement 'div' @{id = 'medium_medium' } {} + htmlElement 'div' @{id = 'low_medium' } {} + + htmlElement 'div' @{id = 'critical_high' } {} + htmlElement 'div' @{id = 'high_high' } {} + htmlElement 'div' @{id = 'medium_high' } {} + htmlElement 'div' @{id = 'low_high' } {} + + htmlElement 'div' @{id = 'critical_critical' } {} + htmlElement 'div' @{id = 'high_critical' } {} + htmlElement 'div' @{id = 'medium_critical' } {} + htmlElement 'div' @{id = 'low_critical' } {} + } + } + else { + if ($RiskScore) { + htmlElement 'h2' @{id = 'CurrentRiskScore' } { "Current Risk Score of tested System:" } + htmlElement 'h2' @{id = 'invalidOS' } { "N/A" } + htmlElement 'h3' @{} { 'Risk Score calculation implemented for Microsoft Windows OS for now.' } + htmlElement 'div' @{id = 'riskMatrixSummary' } { + htmlElement 'div' @{id = 'severity' } { + htmlElement 'p' @{id = 'severityArea' } { 'Severity' } + } + htmlElement 'div' @{id = 'quantity' } { + htmlElement 'p' @{id = 'quantityArea' } { 'Quantity' } + } + htmlElement 'div' @{id = 'severityCritical' } { "Critical" } + htmlElement 'div' @{id = 'severityHigh' } { "High" } + htmlElement 'div' @{id = 'severityMedium' } { "Medium" } + htmlElement 'div' @{id = 'severityLow' } { "Low" } + + htmlElement 'div' @{id = 'quantityCritical' } { "Critical" } + htmlElement 'div' @{id = 'quantityHigh' } { "High" } + htmlElement 'div' @{id = 'quantityMedium' } { "Medium" } + htmlElement 'div' @{id = 'quantityLow' } { "Low" } + + #colored areas + htmlElement 'div' @{id = 'critical_low' } {} + htmlElement 'div' @{id = 'high_low' } {} + htmlElement 'div' @{id = 'medium_low' } {} + htmlElement 'div' @{id = 'low_low' } {} + + htmlElement 'div' @{id = 'critical_medium' } {} + htmlElement 'div' @{id = 'high_medium' } {} + htmlElement 'div' @{id = 'medium_medium' } {} + htmlElement 'div' @{id = 'low_medium' } {} + + htmlElement 'div' @{id = 'critical_high' } {} + htmlElement 'div' @{id = 'high_high' } {} + htmlElement 'div' @{id = 'medium_high' } {} + htmlElement 'div' @{id = 'low_high' } {} + + htmlElement 'div' @{id = 'critical_critical' } {} + htmlElement 'div' @{id = 'high_critical' } {} + htmlElement 'div' @{id = 'medium_critical' } {} + htmlElement 'div' @{id = 'low_critical' } {} + } + } + } + } + + # Benchmark compliance + htmlElement 'h1' @{ style = 'clear:both;' } {} + htmlElement 'p' @{} { + 'A total of {0} tests have been executed.' -f @( + $completionStatus.TotalCount + ) + } + + # Status percentage gauge + htmlElement 'div' @{ class = 'gauge' } { + foreach ($value in $StatusValues) { + $count = $completionStatus[$value].Count + if($count -gt 0){ + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $completionStatus[$value].Percent + + htmlElement 'div' @{ + class = "gauge-meter $htmlClass" + style = "--weight: $count;" #fills the gauge bar to some percent + title = "$value $count test(s), $($percent)%" + } { } + } + } + } + htmlElement 'ol' @{ class = 'gauge-info' } { + foreach ($value in $StatusValues) { + $count = $completionStatus[$value].Count + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $completionStatus[$value].Percent + + htmlElement 'li' @{ class = 'gauge-info-item' } { + htmlElement 'span' @{ class = "auditstatus $htmlClass" } { "$($percent)% $value" } + "
(Tests: $count)" + } + } + + } + # Sections + foreach ($section in $Sections) { + htmlElement 'h2' @{ style = 'clear:both; margin-top: 0;' } { $section.Title } + htmlElement 'p' @{} { + 'A total of {0} tests have been executed in section {1}.' -f @( + $sectionTotalCountHash[$section.Title] + $section.Title + ) + } + + # Status percentage gauge for sections + htmlElement 'div' @{ class = 'gauge' } { + foreach ($value in $StatusValues) { + $count = $sectionCountHash[$section.Title + $value + "Count"] + if ($count -gt 0) { + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $sectionCountHash[$section.Title + $value + "Percent"] + htmlElement 'div' @{ + class = "gauge-meter $htmlClass" + style = "--weight: $count;" #fills the gauge bar to some percent + title = "$value $count test(s), $($percent)%" + } { } + } + } + } + htmlElement 'ol' @{ class = 'gauge-info' } { + foreach ($value in $StatusValues) { + $count = $sectionCountHash[$section.Title + $value + "Count"] + $htmlClass = Get-HtmlClassFromStatus $value + $percent = $sectionCountHash[$section.Title + $value + "Percent"] + + htmlElement 'li' @{ class = 'gauge-info-item' } { + htmlElement 'span' @{ class = "auditstatus $htmlClass" } { "$($percent)% $value" } + "
(Tests: $count)" + } + } + } + } + } + + Write-Progress -Activity "Creating foundation data page" -Status "Progress:" -PercentComplete 50 + htmlElement 'div' @{class = 'tabContent'; id = 'foundationData'; style = 'display:none' } { + #Tab: Foundation Data (Only works for Windows OS!) + htmlElement 'h1' @{} { "Security Base Data" } + htmlElement 'div' @{id = "testGrid" } { + htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 1; grid-row-end: 2; font-size: 23px; font-weight: bold; border: 0; padding-top: 0px;" } { "System Information" } + htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 3; grid-row-start: 2; grid-row-end: 3; font-weight: bold; background-color: lightgray;" } { "Software Information" } + htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 6; grid-row-start: 2; grid-row-end: 3; font-weight: bold; background-color: lightgray;" } { "Hardware Information" } + + $systeminfo_array = @( + @{ colStart = 1; rowstart = 3; + name = "Hostname" + value = $($SystemInformation.SoftwareInformation.Hostname)} + @{ colStart = 1; rowstart = 4; + name = "System Uptime" + value = $($SystemInformation.SoftwareInformation.SystemUptime)} + @{ colStart = 1; rowstart = 5; + name = "Operating System" + value = $($SystemInformation.SoftwareInformation.OperatingSystem)} + @{ colStart = 1; rowstart = 6; + name = "Build Number" + value = $($SystemInformation.SoftwareInformation.BuildNumber)} + @{ colStart = 1; rowstart = 7; + name = "OS Architecture" + value = $($SystemInformation.SoftwareInformation.OSArchitecture)} + @{ colStart = 1; rowstart = 8; + name = "License Status" + value = $($SystemInformation.SoftwareInformation.LicenseStatus)} + @{ colStart = 1; rowstart = 9; + name = "Installation Language" + value = $($SystemInformation.SoftwareInformation.InstallationLanguage)} + @{ colStart = 1; rowstart = 10; + name = "Domain role" + value = $($SystemInformation.SoftwareInformation.DomainRole)} + + @{ colStart = 4; rowstart = 3; + name = "System Manufacturer" + value = $($SystemInformation.HardwareInformation.SystemManufacturer)} + @{ colStart = 4; rowstart = 4; + name = "System SKU" + value = $($SystemInformation.HardwareInformation.SystemSKU) } + @{ colStart = 4; rowstart = 5; + name = "System Model" + value = $($SystemInformation.HardwareInformation.SystemModel)} + @{ colStart = 4; rowstart = 6; + name = "System Serialnumber" + value = $($SystemInformation.HardwareInformation.SystemSerialnumber)} + @{ colStart = 4; rowstart = 7; + name = "BIOS Version" + value = $($SystemInformation.HardwareInformation.BIOSVersion)} + @{ colStart = 4; rowstart = 8; + name = "Free disk space (C:)" + value = $($SystemInformation.HardwareInformation.FreeDiskSpace)} + @{ colStart = 4; rowstart = 9; + name = "Free physical memory" + value = $($SystemInformation.HardwareInformation.FreePhysicalMemory)} + ) + + for ($i = 0; $i -lt $systeminfo_array.Length; $i++) { + $grayBackground = "" + if($i%2 -eq 0){ + $grayBackground = "background-color: var(--color-light-gray);" + } + htmlElement 'div' @{style = "grid-column-start: $($systeminfo_array[$i].colStart+0); grid-column-end: $($systeminfo_array[$i].colStart+1); grid-row-start: $($systeminfo_array[$i].rowStart); grid-row-end: $($systeminfo_array[$i].rowStart+1); $($grayBackground) font-weight: bold;" } { "$($systeminfo_array[$i].name)" } + htmlElement 'div' @{style = "grid-column-start: $($systeminfo_array[$i].colStart+1); grid-column-end: $($systeminfo_array[$i].colStart+2); grid-row-start: $($systeminfo_array[$i].rowStart); grid-row-end: $($systeminfo_array[$i].rowStart+1); $($grayBackground)" } { "$($systeminfo_array[$i].value)" } + } + + + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 3; grid-row-end: 4; background-color: #efefef; font-weight: bold;" } { "System Manufacturer" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 3; grid-row-end: 4; background-color: #efefef;" } { $($SystemInformation.HardwareInformation.SystemManufacturer) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 4; grid-row-end: 5; font-weight: bold;" } { "System SKU" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 4; grid-row-end: 5;" } { $($SystemInformation.HardwareInformation.SystemSKU) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 5; grid-row-end: 6; background-color: #efefef; font-weight: bold;" } { "System Model" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 5; grid-row-end: 6; background-color: #efefef;" } { $($SystemInformation.HardwareInformation.SystemModel) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 6; grid-row-end: 7; font-weight: bold;" } { "System Serialnumber" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 6; grid-row-end: 7;" } { $($SystemInformation.HardwareInformation.SystemSerialnumber) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 7; grid-row-end: 8; background-color: #efefef; font-weight: bold;" } { "BIOS Version" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 7; grid-row-end: 8; background-color: #efefef;" } { $($SystemInformation.HardwareInformation.BIOSVersion) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 8; grid-row-end: 9; font-weight: bold;" } { "Free disk space (C:)" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 8; grid-row-end: 9;" } { $($SystemInformation.HardwareInformation.FreeDiskSpace) } + + # htmlElement 'div' @{style = "grid-column-start: 4; grid-column-end: 5; grid-row-start: 9; grid-row-end: 10; background-color: #efefef; font-weight: bold;" } { "Free physical memory" } + # htmlElement 'div' @{style = "grid-column-start: 5; grid-column-end: 6; grid-row-start: 9; grid-row-end: 10; background-color: #efefef;" } { $($SystemInformation.HardwareInformation.FreePhysicalMemory) } + + + + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 3; grid-row-end: 4; background-color: #efefef; font-weight: bold;" } { "Hostname" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 3; grid-row-end: 4; background-color: #efefef;" } { $($SystemInformation.SoftwareInformation.Hostname) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 4; grid-row-end: 5; font-weight: bold;" } { "System Uptime" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 4; grid-row-end: 5;" } { $($SystemInformation.SoftwareInformation.SystemUptime) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 5; grid-row-end: 6; background-color: #efefef; font-weight: bold;" } { "Operating System" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 5; grid-row-end: 6; background-color: #efefef;" } { $($SystemInformation.SoftwareInformation.OperatingSystem) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 6; grid-row-end: 7; font-weight: bold;" } { "Build Number" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 6; grid-row-end: 7;" } { $($SystemInformation.SoftwareInformation.BuildNumber) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 7; grid-row-end: 8; background-color: #efefef; font-weight: bold;" } { "OS Architecture" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 7; grid-row-end: 8; background-color: #efefef;" } { $($SystemInformation.SoftwareInformation.OSArchitecture) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 8; grid-row-end: 9; font-weight: bold;" } { "License Status" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 8; grid-row-end: 9;" } { $($SystemInformation.SoftwareInformation.LicenseStatus) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 9; grid-row-end: 10; background-color: #efefef; font-weight: bold;" } { "Installation Language" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 9; grid-row-end: 10; background-color: #efefef;" } { $($SystemInformation.SoftwareInformation.InstallationLanguage) } + + # htmlElement 'div' @{style = "grid-column-start: 1; grid-column-end: 2; grid-row-start: 10; grid-row-end: 11; font-weight: bold;" } { "Domain role" } + # htmlElement 'div' @{style = "grid-column-start: 2; grid-column-end: 3; grid-row-start: 10; grid-row-end: 11;" } { $($SystemInformation.SoftwareInformation.DomainRole) } + } + # htmlElement 'div' @{id="systemData"} { + # } + if ([System.Environment]::OSVersion.Platform -ne 'Unix') { + htmlElement 'h2' @{} { "Table Of Contents" } + htmlElement 'p' @{} { 'Use below links to jump to a specific report section.' } + htmlElement 'ul' @{} { + foreach ($section in $FoundationReport.Sections) { $section | Get-HtmlToc } + } + htmlElement 'h2' @{} { "Details" } + # Report Sections + foreach ($section in $FoundationReport.Sections) { $section | Get-HtmlReportSection } + } + } + + if ($RiskScore) { + Write-Progress -Activity "Creating risk score page" -Status "Progress:" -PercentComplete 63 + htmlElement 'div' @{class = 'tabContent'; id = 'riskScore' } { + htmlElement 'h1'@{} { "Risk Score" } + htmlElement 'p'@{} { "The risk score provides a quick overview of how secure the system is configured. This is made up of the areas `"Severity`" and `"Quantity`". The higher risk is used as the overall risk." } + htmlElement 'h2' @{id = 'CurrentRiskScoreRS' } { "Current Risk Score of tested System: " } + + htmlElement 'div' @{id = 'riskMatrixContainer' } { + htmlElement 'div' @{id = 'dotRiskScoreTab' } {} + htmlElement 'div' @{id = 'severity' } { + htmlElement 'p' @{id = 'severityArea' } { 'Severity' } + } + htmlElement 'div' @{id = 'quantity' } { + htmlElement 'p' @{id = 'quantityArea' } { 'Quantity' } + } + htmlElement 'div' @{id = 'severityCritical' } { "Critical" } + htmlElement 'div' @{id = 'severityHigh' } { "High" } + htmlElement 'div' @{id = 'severityMedium' } { "Medium" } + htmlElement 'div' @{id = 'severityLow' } { "Low" } + + htmlElement 'div' @{id = 'quantityCritical' } { "Critical" } + htmlElement 'div' @{id = 'quantityHigh' } { "High" } + htmlElement 'div' @{id = 'quantityMedium' } { "Medium" } + htmlElement 'div' @{id = 'quantityLow' } { "Low" } + + #colored areas + htmlElement 'div' @{id = 'critical_low' } {} + htmlElement 'div' @{id = 'high_low' } {} + htmlElement 'div' @{id = 'medium_low' } {} + htmlElement 'div' @{id = 'low_low' } {} + + htmlElement 'div' @{id = 'critical_medium' } {} + htmlElement 'div' @{id = 'high_medium' } {} + htmlElement 'div' @{id = 'medium_medium' } {} + htmlElement 'div' @{id = 'low_medium' } {} + + htmlElement 'div' @{id = 'critical_high' } {} + htmlElement 'div' @{id = 'high_high' } {} + htmlElement 'div' @{id = 'medium_high' } {} + htmlElement 'div' @{id = 'low_high' } {} + + htmlElement 'div' @{id = 'critical_critical' } {} + htmlElement 'div' @{id = 'high_critical' } {} + htmlElement 'div' @{id = 'medium_critical' } {} + htmlElement 'div' @{id = 'low_critical' } {} + } + + htmlElement 'div' @{id = 'calculationTables' } { + htmlElement 'h3' @{class = 'calculationTablesText' } { "Risk Score Calculation" } + htmlElement 'p' @{class = 'calculationTablesText' } { "Risk Score calculation is based on the quantitative amount of compliant rules and the severity of incompliant checks." } + htmlElement 'p' @{class = 'calculationTablesText' } { "Note: Quantity is calculated by dividing all compliant rules with the total number (minus none-compliant) of checks." } + htmlElement 'table' @{id = 'quantityTable' } { + htmlElement 'tr' @{} { + htmlElement 'th' @{} { 'Compliance to Benchmarks (Quantity)' } + htmlElement 'th' @{} { 'Risk Assessment' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { 'More than 80%' } + htmlElement 'td' @{} { 'Low' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { 'Between 65% and 80%' } + htmlElement 'td' @{} { 'Medium' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { 'Between 50% and 65%' } + htmlElement 'td' @{} { 'High' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { 'Less than 50%' } + htmlElement 'td' @{} { 'Critical' } + } + } + + htmlElement 'table' @{id = 'severityTable' } { + htmlElement 'tr' @{} { + htmlElement 'th' @{} { 'Compliance to Benchmarks (Severity)' } + htmlElement 'th' @{} { 'Risk Assessment' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { 'All critical settings compliant' } + htmlElement 'td' @{} { 'Low' } + } + htmlElement 'tr' @{} { + htmlElement 'td' @{} { '1 or more incompliant setting(s)' } + htmlElement 'td' @{} { 'Critical' } + } + } + } + + + htmlElement 'div' @{id = "severityCompliance" } { + htmlElement 'h2' @{} { 'Details' } + htmlElement 'p' @{id = "complianceStatus" } { 'Table Of Severity Rules' } + htmlElement 'span' @{class = "sectionAction collapseButton"; id = "severityComplianceCollapse" } { "-" } + htmlElement 'table' @{id = 'severityDetails' } { + htmlElement 'tr' @{} { + htmlElement 'th' @{} { 'Id' } + htmlElement 'th' @{} { 'Task' } + htmlElement 'th' @{} { 'Status' } + htmlElement 'th' @{} { 'Severity' } + } + foreach ($info in $RSReport.RSSeverityReport.AuditInfos) { + htmlElement 'tr' @{} { + htmlElement 'td' @{} { "$($info.Id)" } + htmlElement 'td' @{} { "$($info.Task)" } + htmlElement 'td' @{} { + if ($info.Status -eq 'False') { + htmlElement 'span' @{class = "severityResultFalse" } { + "$($info.Status)" + } + } + elseif ($info.Status -eq 'True') { + htmlElement 'span' @{class = "severityResultTrue" } { + "$($info.Status)" + } + } + elseif ($info.Status -eq 'None') { + htmlElement 'span' @{class = "severityResultNone" } { + "$($info.Status)" + } + } + elseif ($info.Status -eq 'Warning') { + htmlElement 'span' @{class = "severityResultWarning" } { + "$($info.Status)" + } + } + elseif ($info.Status -eq 'Error') { + htmlElement 'span' @{class = "severityResultError" } { + "$($info.Status)" + } + } + } + htmlElement 'td' @{} { + htmlElement 'p' @{style = "margin: 5px auto;" } { "Critical" } + } + } + } + } + } + # 'Test for AuditInfo: ' + $RSReport.RSSeverityReport.TestTable + } + } + + if ($MITRE) { + if (Test-CompatibleMitreReport -Title $Title -os $os) { + Write-Progress -Activity "Creating mitre heatmap page" -Status "Progress:" -PercentComplete 75 + + $Mappings = $Sections | + Where-Object { $_.Title -eq "CIS Benchmarks" -or $_.Title -eq "CIS Stand-alone Benchmarks" } | + ForEach-Object { return $_.SubSections } | + ForEach-Object { return $_.AuditInfos } | + Merge-CisAuditsToMitreMap + + htmlElement 'div' @{class = 'tabContent'; id = 'MITRE' } { + htmlElement 'h1'@{} { "MITRE ATT&CK" } + htmlElement 'p'@{} { 'To get a quick overview of how good your system is hardened in terms of the MITRE ATT&CK Framework we made a heatmap.' } + htmlElement 'p' @{id = 'Tip' } { 'Tip: Hover over the MITRE IDs to get a quick information to each Technique' } + htmlElement 'h2'@{} { "Version of CIS in MITRE Mapping and tests" } + htmlElement 'p'@{} { $(Get-MitreMappingMetaData Version) + "." } + htmlElement 'p'@{} { "Based on: " + $(Get-MitreMappingMetaData BasedOn) + "." } + $MitreMappingCompatible = Get-MitreMappingMetaData Compatible + if (-not $(Compare-EqualCISVersions -Title:$Title -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible)) { + Write-Warning "The CIS version used for the MITRE mapping doesn't match with the CIS version used for the tests. The Mitre heatmap will still be generated but might contain false information." + htmlElement 'p'@{style = "font-size: 1.2em; color: red;" } { "The CIS version used for the MITRE mapping doesn't match with the CIS version used for the tests." } + } + htmlElement 'h2' @{} { 'Explanation of the cell colors' } + + htmlElement 'div' @{class = 'square-container' } { + $color_S = Get-ColorValue 1 1 + htmlElement 'div' @{class = 'square'; style = "background: $color_S" } {} + htmlElement 'div'@{} { '= 100% of the tests were successful, the system is protected in the best possible way' } + } + + htmlElement 'div' @{class = 'square-container' } { + $color_F = Get-ColorValue 0 1 + htmlElement 'div' @{class = 'square'; style = "background: $color_F" } {} + htmlElement 'div'@{} { '= 0% of the tests were successful, consider looking into possibilities to harden your system regarding this tactic / technique' } + } + + htmlElement 'div' @{class = 'square-container' } { + $color_S = Get-ColorValue 1 1 + $color_F = Get-ColorValue 0 1 + htmlElement 'div' @{class = 'square'; style = "background: linear-gradient($color_S,$color_F)" } {} + htmlElement 'div'@{} { '= the color gradient moves in 10% steps. The greener the cell, the more tests were successful' } + } + + htmlElement 'div' @{class = 'square-container' } { + $color_E = Get-ColorValue 1 0 + htmlElement 'div' @{class = 'square'; style = "background: $color_E" } {} + htmlElement 'div'@{} { '= No tests available yet' } + } + + htmlElement 'h2' @{} { "Filters" } + + htmlElement 'label' @{} { + "Hide techniques that are performed outside of enterprise defenses and controls:" + htmlElement 'input' @{type = "checkbox"; id = "mitreFilterCheckbox"; onchange = "hideMitreTechniques(this, '.orgMeasure')" } {} + } + + htmlElement 'p' @{} { + htmlElement 'label' @{} { + "Hide techniques that cannot be easily mitigated with preventive controls:" + htmlElement 'input' @{type = "checkbox"; id = "noEasyMitigationCheckbox"; onchange = "hideMitreTechniques(this, '.noEasyMitigation')" } {} + } + } + + htmlElement 'p' @{} { + htmlElement 'label' @{} { + "Display only techniques related to the attack vector 'E-Mail'" + htmlElement 'input' @{type = "checkbox"; id = "mailFilterCheckbox"; onchange = "hideMitreTechniques(this, '.MITRETechnique:not(.mailVector)')" } {} + } + } + + htmlElement 'h2' @{} { "Current ATT&CK heatmap on tested System" } + + ConvertTo-HtmlTable $Mappings.map + } + htmlElement 'div' @{class = 'tabContent'; id = 'CISA' } { + htmlElement 'h1'@{} { "CISA Recommendations" } + htmlElement 'p' @{} { + "This table shows the top mitigations, that help against the most used attack techniques. + Implementing these mitigations has the biggest impact on the overall security of the system. + The table is based on the Information from CISAs " + htmlElement 'a' @{href = "https://www.cisa.gov/sites/default/files/publications/RVA_INFOGRAPHIC_508c.pdf"; target = "_blank" } { + "Risk and Vulnerability Assessment (RVA) mapped to the MITRE ATT&CK Framework." + } + "Additionally, the table is sorted based on the number of audits that failed but could be prevented by a given mitigation." + } + htmlElement 'p'@{} { 'The table presents three columns: The first column lists the mitigations recommended by CISA, the second column contains the corresponding mitigation IDs from MITRE, and the third column shows the techniques that have at least one CISA-recommended mitigation and have experienced at least one test failure.' } + htmlElement 'h1'@{} { 'Mitigation for top techniques' } + + $CISAMitigations = $Mappings.Map | Get-MitigationsFromFailedTests + ConvertTo-HtmlCISA $CISAMitigations + } + } + else { + Write-Warning "Mitre Heatmap can only be used on a Windows System together with `"Microsoft Windows 10`", `"Microsoft Windows 10 Stand-alone`", `"Microsoft Windows 11`", `"Microsoft Windows 11 Stand-alone`", `"Microsoft Windows Server 2019`" or `"Microsoft Windows Server 2022`". The Mitre Heatmap will not be generated" + } + } + + Write-Progress -Activity "Creating references page" -Status "Progress:" -PercentComplete 83 + htmlElement 'div' @{class = 'tabContent'; id = 'references'; style = 'display:none' } { + + + htmlElement 'h1' @{} { "About us" } + + # Flex-Container + htmlElement 'div' @{class = 'columns-container' } { + + # LEFT COLUMN + htmlElement 'div' @{class = 'left-column' } { + htmlElement 'h2' @{} { "What makes FB Pro GmbH different" } + + htmlElement 'h3' @{} { "What do we want?" } + htmlElement 'p' @{} { + "Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet." + } + + htmlElement 'h3' @{} { "How do we achieve this?" } + htmlElement 'p' @{} { + "We implement in-depth IT security for our customers. Our approach always focuses on state-of-the-art technology that is highly efficient and automated." + } + + htmlElement 'h3' @{} { "What is system hardening?" } + htmlElement 'p' @{} { "The following video provides concise answers to questions such as:" } + htmlElement 'ul' @{class = 'hardening-ul' } { + htmlElement 'li' @{} { "What does System Hardening mean?" } + htmlElement 'li' @{} { "How does System Hardening work?" } + htmlElement 'li' @{} { "Why is System Hardening so important?" } + } + htmlElement 'p' @{style = 'font-style: italic;' } { + "If you cannot see the video below, please check your browser settings to allow loading content from external sources. + Alternatively, you can watch the video " + htmlElement 'a' @{href = "https://www.youtube.com/watch?v=jbI19FwnBKY"; target = "_blank" } { "here" + } + } + + htmlElement 'div' @{class = 'video-wrapper' } { + htmlElement 'iframe' @{ + src = "https://www.youtube-nocookie.com/embed/jbI19FwnBKY?si=_p7JoaNAkxRB0HIL" + title = "YouTube video player" + frameborder = "0" + allow = "accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" + referrerpolicy = "strict-origin-when-cross-origin" + allowfullscreen = "" + } {} + } + } + + # RIGHT COLUMN + htmlElement 'div' @{class = 'right-column' } { + + htmlElement 'h2' @{} { "Check out our solutions" } + # Flex-Container for the products + htmlElement 'div' @{class = 'product-block' } { + # Flex-Container for each product item (order in column and centered) + htmlElement 'div' @{class = 'product-item ' } { + htmlElement 'h3'@{} { "Enforce Administrator" } + htmlElement 'a' @{href = "https://www.fb-pro.com/enforce-administrator-product/"; target = "_blank" } { + htmlElement 'img' @{ + src = $Settings.EA + alt = "Enforce Administrator" + style = "width: 125px; height: 200px;" + } {} + } + } + htmlElement 'div' @{class = 'product-item ' } { + htmlElement 'h3'@{} { "EnforceTAP" } + htmlElement 'a' @{href = "https://www.fb-pro.com/enforce-suite/"; target = "_blank" } { + htmlElement 'img' @{ + src = $Settings.EnforceTAP + alt = "EnforceTAP" + style = "width: 125px; height: 200px;" + } {} + } + } + htmlElement 'div' @{ class = 'product-item' } { + htmlElement 'h3' @{} { " AuditTAP" } + htmlElement 'a' @{href = "https://www.fb-pro.com/audit-tap-product-information/"; target = "_blank" } { + htmlElement 'img' @{ + src = $Settings.ATAP + alt = "Audit Test Automation Package" + style = "width: 125px; height: 200px;" + } {} + } + } + } + + htmlElement 'div' @{class = 'contact-block' } { + htmlElement 'div' @{class = 'contact-flex' } { + #Flex-Container for FB Pro Contact information (order in one column, centered) + htmlElement 'div' @{ class = 'contact-item'; style = 'white-space: nowrap;' } { + + htmlElement 'h3' @{} { "Contact information" } + htmlElement 'p' @{} { "FB Pro GmbH" } + htmlElement 'p' @{} { htmlElement 'span' @{style = "display:inline-block; vertical-align:middle; position:relative; top:2px; margin-right:5px;" } { $phoneIcon }; "+49 6727 7559039" } + htmlElement 'p' @{} { + htmlElement 'span' @{style = "display:inline-block; vertical-align:middle; position:relative; top:2px; margin-right:5px;" } { $webIcon }; htmlElement 'a' @{href = "https://www.fb-pro.com/" ; target = "_blank" } { "https://www.fb-pro.com/" } + } + htmlElement 'p' @{} { + htmlElement 'span' @{style = "display:inline-block; vertical-align:middle; position:relative; top:2px; margin-right:5px;" } { $mailIcon }; htmlElement 'a' @{href = "mailto:info@fb-pro.com" } { "info@fb-pro.com" } + } + } + htmlElement 'div' @{class = 'contact-item' } { + htmlElement 'h3' @{} { "Can we help you?" } + htmlElement 'p' @{} { "Do you need support with system hardening?" } + htmlElement 'p' @{} { "Our team of system hardening experts will be happy to assist you." } + htmlElement 'p' @{} { " Contact us for a no-obligation inquiry!" } + } + } + + htmlElement 'div' @{ class = "contact-buttons" } { + htmlElement 'a' @{href = "mailto:info@fb-pro.com" } { + htmlElement 'button' @{id = "contactUsButton"; class = "button-base" } { "CONTACT US!" } + } + htmlElement 'a' @{href = "https://github.com/fbprogmbh/Hardening-Audit-Tool-AuditTAP-Audit-Test-Automation-Package"; target = "_blank" } { + htmlElement 'button' @{id = "githubButton"; class = "button-base" } { + "AuditTAP on GitHub" + } + } + } + } + } + } + } + + + + } + } + htmlElement 'script' @{ type = 'text/javascript' } { @" + function collapseHandler(e) { + var targetSection = e.target.parentElement.parentElement; + if (targetSection.classList.toggle('collapsed')) { + e.target.innerText = '+'; + } else { + e.target.innerText = '-'; + } + } + var collapseButtons = document.getElementsByClassName("collapseButton"); + for (var i = 0; i < collapseButtons.length; i++) { + collapseButtons[i].addEventListener('click', collapseHandler); + } +"@ + } + } + + $html = "$($head)$($body) " + + $head = " + + A Meaningful Page Title + + + " + + #If Path exists to a folder exists + if ($Path -match ".html") { + $name = Split-Path -Path $Path -Leaf + $Path = Split-Path -Path $Path -Parent + New-Item -Path $Path -Name $name -ItemType File -Value $html -Force + + } + else { + $Title = $Title -replace " Audit Report", "" + $auditReport += "$($Title)_$(Get-Date -UFormat %Y%m%d_%H%M%S).html" + New-Item -Path $Path -Name $auditReport -ItemType File -Value $html -Force + } + if ([System.Environment]::OSVersion.Platform -eq 'Unix') { + # $shellPath = $Path"/"$name + # bash -c "chmod o+r $($shellPath)" + # Write-Host $shellPath + } + #Create Report file + #$html | Out-File -FilePath $auditReport -Encoding utf8 + } +} diff --git a/ATAPHtmlReport/README.md b/ATAPHtmlReport/README.md new file mode 100644 index 0000000..c539401 --- /dev/null +++ b/ATAPHtmlReport/README.md @@ -0,0 +1,105 @@ +# ATAP Html Report + +## Overview + +A module part of the *Audit Test Automation Package* that creates html reports with tables and sections for audit reporting. + +## Requirements + +Please make sure, that following requirements are fulfilled: + +* **PowerShell 5.1:** To find out the current version use `$PSVersionTable.PSVersion`. + +## Installation + +It is recommended that you install the module on your system. + +1. Findout out where PowerShell stores modules with `$env:PSModulePath`. For example, this folder might be C:\Users\Administrator\Documents\WindowsPowerShell\Modules. +2. Copy this folder into the modules folder +3. Check with `Get-Module ATAPHtmlReport -ListAvailable` if PowerShell detects the module. + +## Usage + +To generate a report, use `Get-ATAPHtmlReport`. However, you will need to provide the *path* where the report will be stored, the report *title*, the audit *module name*, and what hardening standard it is *based on*. To give the report a little bit more context, about the computer the report was generated on, you can provide your own *host information* (a table at the beginning of the report). + +The main content of the report is structured into *sections*. A section must have a *title*, but can also include a *description*, a table of *AuditInfos*, and *SubSections*. AuditInfos represent a single audit test with an *Id*, *Task*, *Message*, and *Audit* that states whether the the system completed the test with True, False, Warning, or None. + +**Important**: To use the AuditInfos class defined in the modul, you need to add `using module ATAPHtmlReport` to the top of the file. This might not work if the module is not in a PSModulePath location. + +For example, a simple section could look like this: + +```powershell +[hashtable[]]$reportSections = @() + +$reportSections += @{ + Title = "Section 1" + Description = "All tests from section 1 of the my audit benchmark are here" + AuditInfos = @( + (New-Object -TypeName AuditInfo -Property @{ + Id = "1.1" + Task = "Ensure something is set" + Message = "All Good" + Audit = [AuditStatus]::True + }), + (New-Object -TypeName AuditInfo -Property @{ + Id = "1.2" + Task = "Ensure something else is set" + Message = "Result could be better" + Audit = [AuditStatus]::Warning + }) + ) +} +``` + +A more complicated section could look like this. + +```powershell +$reportSections += @{ + Title = "Section 2" + SubSections = @( + @{ + Title = "First subsection of section 2" + AuditInfos = @( + (New-Object -TypeName AuditInfo -Property @{ + Id = "2.1.1" + Task = "Ensure something" + Message = "Not entirely false" + Audit = [AuditStatus]::Warning + }), + (New-Object -TypeName AuditInfo -Property @{ + Id = "2.1.2" + Task = "Ensure something entirely different" + Message = "All good" + Audit = [AuditStatus]::True + }) + ) + }, + @{ + Title = "Second subsection of section 2" + AuditInfos = @( + (New-Object -TypeName AuditInfo -Property @{ + Id = "2.2.1" + Task = "Ensure something way different" + Message = "Oops, something went wrong!" + Audit = [AuditStatus]::False + }) + ) + } + ) +} +``` + +Tied up, the full usage of the `Get-ATAPHtmlReport` function could look like this: + +```powershell +Get-ATAPHtmlReport ` + -Path $Path ` + -Title "My Audit Benchmark" ` + -ModuleName "MyAuditBenchmark" ` + -BasedOn "My Audit Benchmarks Benchmark vX.X.X.X" ` + -HostInformation (Get-MyHostInformation) ` + -Sections $reportSections +``` + +## Troubleshooting +Using `Import-Module` instead of installing might not work. Please follow the outlined steps above. diff --git a/ATAPHtmlReport/Settings.psd1 b/ATAPHtmlReport/Settings.psd1 new file mode 100644 index 0000000..58108ab --- /dev/null +++ b/ATAPHtmlReport/Settings.psd1 @@ -0,0 +1,57 @@ +<# +BSD 3-Clause License + +Copyright (c) 2023, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +#> + +<# + Author(s): Benedikt Böhme, Dennis Esly + Date: 07/20/2018 + Version: 1.0 + Last Change: 07/20/2018 +#> + +@{ + PackageLink = "https://github.com/fbprogmbh/Audit-Test-Automation" + SolutionsLink = "https://www.fb-pro.com/enforce-suite" + + Logo = "data:image/jpeg;base64,/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABkAAD/4QNvaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjMtYzAxMSA2Ni4xNDU2NjEsIDIwMTIvMDIvMDYtMTQ6NTY6MjcgICAgICAgICI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHhtbG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6QTcyNUZDMjEzNUVERTYxMUI1OUFCMjU2NDI2OUE3NUMiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6Q0I2NjA2RUZFRDM1MTFFNjgzQTBBNkY4RDhEOEM1RjMiIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6Q0I2NjA2RUVFRDM1MTFFNjgzQTBBNkY4RDhEOEM1RjMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoV2luZG93cykiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDpBNzI1RkMyMTM1RURFNjExQjU5QUIyNTY0MjY5QTc1QyIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDpBNzI1RkMyMTM1RURFNjExQjU5QUIyNTY0MjY5QTc1QyIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/Pv/uAA5BZG9iZQBkwAAAAAH/2wCEAAEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQECAgICAgICAgICAgMDAwMDAwMDAwMBAQEBAQEBAgEBAgICAQICAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA//AABEIAGQB9AMBEQACEQEDEQH/xADgAAEAAAcBAQEBAAAAAAAAAAAABAUGBwgJCgMCCwEBAQABBAMBAAAAAAAAAAAAAAABAgMEBwYICQUQAAAGAgEBBAQGCQ4FDg8AAAECAwQFBgAHCBEhEhMJMRQVCkFRYXGBIpEyQlLEhRZGF6GxwdFy0iMkNFSUpGUm8GJDZBjhgpKiU2OjNUh4iLjIOfGywjNzg8OEtNQlRXe3GREAAgEDAQUDBQ8DAgQHAAAAAAECEQMEBSExEhMGQVIHUWGRoQhxgcEiYoKiwiNDY4MUJETRMkKxFTPDhcVykrJTFkYJ/9oADAMBAAIRAxEAPwDv4wBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYBLnpQO4iiiPTo+Or0+Pw2D3oH0GMA/RgExwCUzR1PURaoGEjmRVTjkDl695MXPUF1yiHoM1aFUVD9xgEzSSIikmikUCJJEIkmQPQQiZQKQofIUodMA+8AYAwD4UTTVIKaqZFUzdO8RQpTkN0EDB1KYBKPQwAPz5KlKLrFtMhpNUe4hvZ0f/MWf9FQ/eZc517vy9LKeXDur0EKzjY8G5Ceos/4IyqP8mQ9CKp0g+4+ImRz73fl6WOXb7q9BFezo/wDmLP8AoqH7zJ517vy9LHLh3V6CDbR0cZZ6p6iz7XBUgH1ZD7VJBIBD/wA38ChjZHOvd+XpY5cO6vQRCsXHqJqJ+oMvrkOT+SofdFEPvPlyede78vSxy4d1eg+W7BgdBE4sWfUySZh/iqPpEgCP3Hx4597vy9LHLh3V6D29nR/8xZ/0VD95jnXu/L0scuHdXoIVlHR4tkzixZ9Ve+v/ACVD/LqGWD7j4APjn3u/L0scu33V6EfR46PBwgb1Bn0MVZP+SoekQIoH3H+9Dkc6935eljlw7q9BEezo/wDmLP8AoqH7zJ517vy9LHLh3V6CFWjo8y7QnqDIQA6q4/xVH0JpCmH3H364D9GRzr3fl6WOXb7q9B9uY2PFBX+IM+oJmMH8VR+2IHfL9x8YZPPvd+XpY5cO6vQewR8eIAPqLPtDr/JUP3mOfe78vSxy4d1egh3cew9XUKDFl1U7qIfxZD0rGKkH+T/x8h3r3fl6WOXDur0EQEbHAAADBkAB2AHqqHoD/WZPOvd+XpY5cO6vQf32dH/zFn/RUP3mOde78vSxy4d1egezo/8AmLP+iofvMc6935eljlw7q9A9nR/8xZ/0VD95jnXu/L0scuHdXoJP7PYe3+nqDLp7H6/yRv16+u9PT4fXpmTzr36OvHKvM8r7pa5cOf8A2r+zyLylSZgmQMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAJY4DvykaX4E0JBfp8pfVEAH7DkcAmeASfr61MiHQBSim32wgI/x5+HoAfQB27JPt+HuuMAnGAMAYAwBgDAIZv0AzkgB07rk30iomksIh8nVTAInAIVmIGQ74B2KquFfnBRdQwD/ALEQwCKwCHbdfBAB6dSHVT7P97VOQP1C4B/XRxTbLnD0lRUEv7ruD3Q+k3TAPRMnhpkJ94QpPi+1KAfsYB5r9ngG+8XT/wCEAyP/ALXAPfAIUv1nig/Ai3TKH7pY5zHD5+6kXAIkwd4BKPoEBD7IdMA8m49UEhH0+GQB+cCgA/qhgHyv0Mo2THr2qip2fEkmc3UfkA4l+nAIjAGAMAYBJvzg/E34bmT/AA/zfqlr7/5nwk5zGLowBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAlvQTS4D8CMaIfS5dB/wDKYBHqqkRSUWVMBEkiHVUOPoIRMomOYfkKUOuAS6HSUKzBwuUSOX6ikg4IPXvJnc9DJIG6/C1bAml/rMAmmAMAYAwBgDAIUn1Xbgv36TdX6eqqZv1CFwD1XVBFBZYfQkkoqPzJkEw/rYB8tUxSbN0x9KaCRB+cpCgP2RDAPfAIZv2Hck+9cCYPmUSSU/8AGMOAfD0f4NJPoA+M5bp9B+EoKlVU/wCCTNgEZgHg6ARQP09Je6oH/qzlU/8AJwD3wCFbdpnKn37k4B+5RKRD7HfSHAIrAPBv9oYo+kiyxfo8Uxi/7QwYB8/bO/g6JN/p7y6n7AIfq4BE4AwBgDAJN+cH4m/Dcyf4f5v1S19/8z4Sc5jF0YAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAS9Ae9Ivx/3NBij9IetLdPsLhgHlKgK5W0eHofuCkX9PYyQ/jDvvdPuViJgiP/pcAmuAMAYAwBgDAGAQp+hXiI/7oguT5xIdE5Q+gBNgHxI9rQ6Yelc6Db5wcLpom/2pxwCNwBgEMT6rtcPv0UD/ADiUyxDfYDu4B5r9TvGRPgIDlyIfKmmVuX/4vAI3APFx3fAW75gKTwVO+YfQUvcN3jD8gBgFioLlHxwsDRy6it66ocoxzRy8klT3uutCsGrBA7h86e+uv2wtGzRFE51FFO6QhSiIiAAOAXnhHLZ7ERr9k7bv2cgybyDV80XSdNHjd+mV4k6aukDqIOWzgiwHTUIYxDlEBARAeuAUfe9ta51meKb3a2xkNJzyiqNer5fWZS1WRVDui4SrVSh0JCzWJRsU4GVKyaLikUe8boHbgGG20+Ym8qBLSkpS+Ee39uavSQZuWVsr9oodTtD1YzRIZBsTXewJmuWJRwi4KYqSaQHUVIAG7pTG7gCaFfceOYcTuSkJ3y/ak2pxtRnLLKw9ZjN0wKsQvLxMQolHpzUjJsUXMDU1XUqm5bgwknSLsp0O+AGIqmIiDMxNQipCKpHIomoQqiaiZgORQhwAxDkOURKYhij1AQ7BDAPvAGAMAk35wfib8NzJ/h/m/VLX3/zPhJzmMXRgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYBb+F2DQJOxWSvx15p0hYouVFlKwLC0Qbyai3LVmzRVayUU2fKvmDpJbqBk1UyHKI9BDMaObhzuysQu2nfi6OKlFyT8jSdU/Mz7d7pnqTGwLeq5OnZ1vS70eK3enj3Y2rke9C44KE4/Ki2vOVaiUy0m7cHAwEaJpsG4G6gAmUKm7drFAQDqVTvJE6/GkOZJ8QmeAMAYAwBgDAGAYvb85Z6c0AwB5Z5h1aJuPk2zaRouuUEbxsWPZu2jwykw5oUE5c2s8S1BMviqItFjlMcn1egiIB/qY1a482rg5t7ZFY1LW9ny8bfpZ/Je0IK0Ua31klPJDQElPC42LJy8S0i9eR8iVgKDBxMqs0X78SNUBUXOUggbKY6Sjpdi2k4l+ylI16kVdnIRzpB6xdoG+1WbO2x1UF0jdOwxDCA4BjVs7lrrKgXlxqKARmtsbrZwZbPLat1wSMfSlLq6pFDIW7almmZOFo2paksKfVN5YJNgd2UDeppOjFEmCK7adphBzH3zuCg0qtbft/LDSvBSrot3RGiU1X5zfbG3DJFaLsTSLVCJos0dRsVMfDVj2zhoJFhEDLfUOIn3TGfgj5kOzdrbKucHeeYXCTfyYx8DBapolONcNHWO7OVH8q6kLXHv9kVFtNDPyHjtowa+dmugJ2ZVmztQVVAKKVJS/taZnRyk8yuocaqjW2D3UezZbkHsq+wGp9TaQkog8Q1tl9tD1vFxjt7tNgnPa9j6FHvnRBkJFF45eNSCUh2QLnBIBLdPdZStzt40ldV3yx3FJbKnSQ5XkxTdVycpQ9URc84UMspTanSoWRbTE7BQ5fqKy9wlZp48U6eEzaFEUyRWgp5TQVt48lyf3811fXuJvlh1qjT0r49Lt1/hdg68uj6QRcAdOInL9WbZXTvp2TSKBDoHSO0kEzHR8FQTeGZVEScq7EqG2u/8yK1wgtFM0pyYvEVwuvFwpbp5qe4V2YsG3+HFySiWxGLqDSgLgg3sOp5StulURJGitFM3CIpAjKHKJkAkqSLM6M5J6w1fSZ1ovsyN5C8wHzyOuW9uQBLJGWdrtqGsirixaxcU2RiV1mjHQ41tZp7OqjQGDKKWbnbPWJXPrBl4bCSRro5lSUdy2tkbbtxRYXeSrThE8SzWm56DjTMGyniGgDN4KQZINYx2mIkMKKZVCCbvAbvBkVIlFSVGf3cfmH6X4icaoiU4Pa621x/5GVyxwqc1rCzSE9uDjxtCtOXBULdFXNCcsazdyUjIwrR79FrDzTJQpSIrimY5TSmU8cY7HsLoeWz7w062hyb1Bx/3RpyG1HV90vZmoKydXtEjLUau7KfLoOteuq1BTbUJOpRNlH1mMl2gO3DIz5Rm7bJtzmfA4kmNyM68PYdiICAgAgPUB7QEO0BAfQIDgqGAMAk35wfib8NzJ/h/m/VLX3/zPhJzmMXRgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAIOQkGEQwfSsq+ZxkXGM3MhJSUg5RZMI9gyRO5ePnzxydJu0ZtG6RlFVVDFImQomMIAAjkNqKcpOkUV27dy7cjatRcrsmkklVtvYkktrbexJbzma5Ne8QVOVnrnQvL7qlY21F0WRWgbpyu2WeXLoWKn25erqv6rp9dcx113tPoEUKbxkHkHCEAxFCvXKSiYn131T4iad0+laspXcuSrFN0VN1X28PkfbTYmtp3O8AvYy618Y7k9R1Gc8DpvHnw3rkYcc1JJSduO1Rd1Jrigm1DiSnOE2oPS/tzzeuXkjCPbZe+W27Fn7cqjpvrzS8dr7WjrulMcCoN2lNb19VmQCCBwRd2WZXAvQpljqdQzVs/EPqrV8pWcfIjj2ZOnEocMF85xlJ+7wry7jvxZ9jX2f/DnQJ6nrek39Z1G1Di5E8vm5Fx9tLVq9Yx4Pt4ObNrcm3sNIFj35pPft0uN7kKfy9qW2L/Kv7BJborkhO2exvbK8Hx3VlscbFW1UZZ27dkMo7P6q4XWETGETKD3sZmLq1q68rPytOyZ1rKNzhi5V3/HcItN+XiT7SOnNd8PNQwIaF0noHWmiYqtqFm7g/qL8bKgmov9PDIuxlCC32+VcTS4aPZTp38rzzcp/iDx+1TpyVrrblHxtrQzEaw2TRJewk360l5iwyNlth5KK2JaZeOvk+2mZV4f8nF16rKtUhBuyTeCkm3HmOjeJMsK+tM1/G5EY0pKO1Ri/wC1tbnGm6cXw027EdbfEv2IbPVOlT668INd/wB2v3XNzs5CUJXb0a82EJ0jO3fU68ePkQjdUqxrKSodd3HzkVpflTqyv7o0HfobYuu7GLlBpMxJl0HMdKx6ngS9bskLIItJqrWuBd9UX8XIt2z9ksHcVSIPTNv42TYzLMcjGkp2ZKqaPN/W9D1bpzU7uj63YuY2o2ZOM4TTTTTae/zprzNNPamlevL58kYAwBgEmsVigqjX5u1WiWYQFbrUTITs/OSrlJnGQ8NEtFX0lJyDtYxUmzNizQOoocwgBSFERwDQPqTnBL+Zffdu3Bjbrpo7y8dNy5ahVy1d9IUnaPMe8Ji7GaGSu8W5a2yh6fgmiSQLx0KqwkpEXpCOnxSlWZlFKrLb2ETsHl3X9Pa7l9dceK5W9ZzC6bwjG7VSo1loSCXVXOq1cw9TfR8nBPHjEvcKLyUCRfujlFZdY6phEKeIr3bDDPhGpys3juF5aL75nFAYblgAmYFjW9qccNPSllslElVmjz2PATMlC14z6vyizFud8xjJBJdI6ACBSABVBmtdhbXFWjfqK3d+aVxjoW2Nv8d9j7Z/0EOW2vLQ8okntTVcAvaOLuzZCSI2j4bYB6a8JP10jcE5dJ5JMZ1shMQ5SqmaTixURRXkrovcLZ8OeTesOM+gNo6ojNu1naO3LXvTYli39vScn69YXW49hLywMW03DXQjhw1uVIJFxyHspz4yvYZT6qBjGSLDb7CFFRVEW43Fs+a2eeRJZpVafZSiSibltIq+0WbtsuAgZI6LgVUFkTkN8ICUQ9GQSS+A55JaN0Hd9GbG4m6g3dQ5eqS9fjpaHha3Qbadg4aqox6djWaQC0ZZ1YZZQp0XX8UfomKVTxFDgBglMobcOzYaRa55vnmBa/11L6k2FdGe4aWwiHrCmE2y1Wl79rmYZHRVo11qW1IxxGXYLbrZdv1iXL109L4KqzdcqrdUUgko/URclHymW1R80xDazGtrbJXj49/YPZ0cBvX3YWJ27OmZvKTi8R6gESaPaSiIkcCg5KcvfKqRHwzAUIaqXqmQ88aMsjNVq6BJy2ckAxTB3Dh1EO8mskYeod4OvUB+HKdu4NJ7GazuYGobRcVoV1M2a2WdnXmK6FYaTdkmpyNhmihyC5aQ7KUfPEYluqZMgnSRAhAEA7OgBlSflMeauR/tbMMeP1Q25DWvaNk14yMlE62palktbOQPJNIOUeqSLSHr0YJo13HuFZtZ/LCuiVFYioIILKCIFKOSVWXJ29u11NzHF2x7Y2hrRJ5aYhw8nYV4WJkHp1mwKOhFqk6RFcx1gFZwimp3Tn7RMAAJhEwiI0tF5Vpt3lzNkaFsV9r7hktAJg9AUxRUVdMyAYOvdMVQRUEBKBDCIfCHoxtKZRUl5zFbUnl6Wmo8g9X7en5OHbVzWtui70nXmS7heRlpyuO05WBaqLpIkbM40kq2SUciBzKGSIJCAAm7xaqlu3acJN9jP0NNKyUpM6f1bLTQnGXkte099ImUDodR26gGCy6pwHtA6pziYflHBeLm4AwCTfnB+Jvw3Mn+H+b9Utff/M+EnOYxdGAMA/MR1r70/wCe5yU2NJ0njXo7WG2bW7Tm7LG6v05xd2Nt23RVVZuyGWVLE1WyzVjfRUCk9QRWfKId0BMQyhgMcOoG2ny7/NZ95M3Vza436r5TcCNia/473fYzGF2/dp/gfvnU8TV6Uoxfryk062FbAa16tCyBAp01XJ+6qqBUSlOdQpDAXD94/wDPw5v+V5zJ0/x04tx+mUKpaOMtb3VY5jYlHkrhOP7Datp7aopY1sZKywrOPiomN1kkqmBUjKqrPVe+YSlTAAMMds+cR71nxe1u93/vLgzq+P05WmKE1ZLJJ6HkZ+qxMI5KiKcxaVtZ7rUnoCBKDgniPVlWjdLvB31C4B0g+Rr511I84rTuw5VzrwunN+aPkq9HbZ10zmz2OtOYu3py56jeKTMumrCRWgp09ffIrs3SPrMY7bCmZVwmdFwqBvPwDQp54vmRchPL9j+NDbQLeiFe7febdXssldK85sZ2zXXaOtU41jFtU5SObIFfq31ZRdQ4KH6tkwIJQE/e4F1x1LqHT0cZYCt8V53KuSb/ALOCiW1b+Pb7h249lXwP6P8AGS9rk+r55is6bHDVuNi5G3V5LyeKU24Tb4VjpRSovjNvcjVgh5rPntsNaxW9leM8VO6ffV9pcW1xR47W6TqTypP48ZJtY3UhW7Mm8aV00eILmeiqggmToJ1CgPbxddV9eRxVn/pYyw3FSUuVJxcWq8XxZVpTbXYjfUvZ+9kq7rt3pJdQX7PUlu9KzKzLULELsb0ZcErSV2xwu5xfFUPjSb2JM28eU95yEB5g8jOaj2NSY3WHIGs189pIwrzx47o1/rrRy3Zy0lViyqzqYhJKEcPURcxrpd2YW6pVkXKoFXIhy7pPrK11FKWJkQVrUIR4qJ1jNbm412pptVi67HVN7addfaF9mjO8GrVnqHR8qef0dkXuVxXIqN/HuNOUIXuFKE4zjGXDdgorii4yhCsHPeFnNzquMAYAwBgDAICRlIyIbg7lpFhFtRUKiDmReN2TcVTgYxEgWcqJJiocCCIF69RAB+LAItFZJwkkugqmugumRZFZE5VElklCgdNVJQgmIomoQwCUwCICA9QwD0wBgDALM775EaO4t63kdv8AIjaNP09rCIkImKk7xepVKFrzGRnXqcdDs3D9YBIRxIvlSpJF+6OIBgF32zlu8bN3jRZNw1dIJOWzhEwHSXbrplVRWSOXqU6aqZgMUQ7BAcA98AYAwBgDAGAMAYBxL+9OeZNcWtno/leaZtD2rsL3CxNz5T2KGcGbyb6qzKxnNT1ORyn3VW0dJRzI0tMEAf44gsxQMPgGdJK8E6r1qViNzFs7VagpT88pbYQfmSpJrtqvPXth7Pvhhb1e9ha/qa4ZahlStY8nvt2bb4cjIjXZxylxWbcv8HC46VcXHm0YW2Pq9OiKTUW6ELXIZt4LOOZACaYqn7XD1yYv13Ug9U6nWWUEyihh7R9AZ11uYl3LzJ5ua3cyJurcvUl5EtyS2I9oMLqLT+nemMbpXpi3DE0TFtqMLdtUq98pza2zuTbcpzk3KTbdS1cvKLPDnMoqYwmHr9uYfnEe3PsWLKtrca61TUbuXNynJtvzk0oXIzZei28hHw7KGudPeHcOi1izJmMVgut1O4WgpciSzqKVEwiYUhKq3OP1gIUwiOXMrQ9O1d8V2trKok5xSdexcUXSvupp+WpjaD4rdZ+GqlbwEs/QVOU44925O3wNvimrV2HE4Ve1wlCdt1bioSbbwaleQe5YLZWx71Spx9rwNjv3DucrsO4Te19x3k0kmzhxHvWyke5mGZ25V0X/AICbpFyHiJmIOc9xNG0t6VjadkxWRHHglGctkt9XRp1UXWnDVqmxnT/qPxP6/h4ga31nod2Wjy1nIlcu49lq5YbcVCMnCcXbleikpq+oRuK58aLW43u+Rz5yF90Hz4E+z1oGvaY5EsqnV92wsEm+j60+uMc6Z16K3UaNcO3rSOuzZtIp+0FW4JJvGLcyIl8QyZi5mmTfSLx5Y9y7c0uV/l3YzdeC3crwyjRbrU9td7hKddypxzrexb9o9avj6ziYOH19Z0p5eDex4OCyczDUVes3eJy+NqON8RRTUI5NjHcacdxT/T6AQEAEBAQEAEBAeoCA9oCAh2CAhm4DzgP7gDAGAaRfPwsmxTcG7BqjV5Xylg2y/MzlWcacSP5ioVYWczPQDXoJTKKS6qjYpkwEPGTIZLtA4gIpmm4tLec6HHbkXEaf46VGmyzk1LhqdBpISLCSQcRyzWQXOKj7x2KiRHR5B5IKm6l7gqKKG9Ajli9et49t3bslG1Ha2+wz9L07P1jMtaZplqd7Ouy4YQjvk6V7aLcm95cdhtiA2LDsbPXplvMQ0uiZdk/bHMKaxQOZNUpinAqiSySpTEOQ4AchiiAgA5VbnG7BSg6xe4t5eJkYOTPEy4uGRbdJJ02P3VVNeRptMtzdqtFXFmok4SSM57ggkqYO3r6SlE5R75DlN2kOUe8Q3aA5WYso1NMe79BLQ07NyrVk4WdGcuTvTrKrvF1lQMbvqKLLqKqqnMAdoiYRypbjDuKa3N0RR+udUblqGl5jdsSmEPGo7CbRdCiJyMReeLMtY9d1KWtrDS7deONBnapBHKKLJCm4WOHcA3hGEoy414U/MbX+Fye3LhRpaHsajJ65rjtmKS53iSaSBZUHax49oCJDJEatzoiZNMvQqRDd0oAXoAQypVpt3mY0hp+yTTBxHyTaMOi5SOmYDOxMACYglA5RKiIlMUR+DIDVdjMJrz5bDi/eIWQuDCuFWOALLxketJuypiYBOCRVzMm/iCX0CYRAB+Acnb7xZ5XxlLtTLYb64y1WC2brKhUSkqPkKfrerQqTpDxSIxhSKOWylgsD9Pw0lJSYO0O5cKqj3lTdQTL0ApQmvaXqV2m0anR+sAiYqO9moCtHxzFioqsZYFFzs2qTcy5iit2GWFPvfTkbAVw5qGs5AqXjwMO6BHr4frTUjgCd/p3ugLGUL290MbBRMoXaVMgnmsLJWK0xYxX5UKR0AU8UxbNwQ9dfIKvnoIoJETOqziWi6vUwCHUgdfTgULXa1g3OqoxvXq2DkI5JU6y3rC4ruHbpXugs8cq90nfWVAoAPQAKUpQKAAAYBknDW167AhHCJwMPTr1Ds69P1cAzW4tcdp/kHeWDAzJy2pMQ5bvLpP8AhnI1ax5DgqaIbOO6KZ5iXIApopgImIUwqmACEHrO8k6U2jRswaNWLJBNszZN0WjRsiUCJN2zZMqKCCRQ7CppJEApQ+AAwQRGAMAk35wfib8NzJ/h/m/VLX3/AMz4Sc5jF0YAwD8gX3bfmvxk4DeY8TfXLTZf6J9ThoXaNLG1/kbsC9f3lsb2orQ0b7C1rVLlZP44nGLj43qfq6fc+ucomL1A/R74wefZ5TXMrd9K44ccOWbbYO59iGnCUymuNK8iqN7dVrldlrXMIN7DsXUVSqrdy2r8G6cFTXfJKL+CJEgOoJSCBxEe+p/96ZoP/mA6s/6xPKnANv3Nj3szy77XwV3JpPQ9J3fsvcG0NC27SkJE3XXENWteRD+769k6Y7sdzfyFvXdSdbh/XzKHYs2y7iQECoD4Kah3CQE39zQ4Qyeo9D8geZdg2NrixL8jxodIqWv6FdqxdZug1nX7izy8g+2karzEujU7ha5Cyt/V6+8BtKRbRiKjtMqjsEW4HbDgHIr71J/yEv8ApP8A/Z4zUPir/A/P/wCSejn/AOf3/wBt/wCl/wDcTctwr5L8ddNeWhxYs22dyaxqEDVOL+qS2Qs9b6+m7QURo8UirD+xTPTyT+ZdrB6ujHpIqOnK5gSTTMcwFHmui6lp+F0ziXcu9ahbhi261ku4tlK1b7Et7exI6veJ/RXWHU3jl1Dp3T2m52Vm5Gv5vLVuzcdU8i4+PiUeGMEvjSuNqMYpycklU5cvIsqr7Z/mzttl6xhJCsaxo7PfOwpSGbN/V2ELRLfAWemU6pyXqC/s1H1SYu0YKLfvLEE7ATJlEEvEJq3oS1LK6t/VYkXDEgrs2uxQkpRjF02b5Ki2/wBuzdU79e1hqFvp/wBnVdP9QXbeT1DlS0/GjcbrKeRYnavX78OJcb4oWLilKkXS7ST+NwyyH5mebnzZ4u+ZzyEqVT2HKXXWdLnbLTqXpSUioNapjK2DVRYykrrIsYIthfkrV9mWUwZBB2i6kRaGamXIRc459HWur9b0rqjIsWbjniwbjG00uGsrdI7lxOk2pUTq6UrtOE+F/s4+FvX3gNo+q6lhwxNeyrcL1/OjcuK6rdrMcr6XFc5UXcxrc7KlKEoW+NXOBuCNjnlV6x83Sjci7TuPn5dNluNG3vSVqsryL2Btmuz0HU7unYag/g0A1iwn3KOspFOuKSix0I6NYtG6BDoufDVIREOSdKYvV9jUp5nUE7jwrliTpK4moz4o0+In8R8PFsikux7aI0p7QGv+zjqvRWP034P4uHDqnD1W1bU7GJdtzvY7tXlcf6qUE8qPNVlKV65O421K3WDlI143XzEfMh82DlXaOP8A5ftykdJ6hjEp9zEysJJq0OSSoEU8Shw2hs3ZLWMd3mvOJpw+Q9WjYUE1WhniKBEXLhI7o3Hb3UXUnVmqz07p6bsYaTo0+F8C2cc50c41qqKNGqpUbVTc+meC/gl7PPh/jdZeMuNHVeprkralbnFX4/qJJz/S42M5xx7qtpS47t9uM+CUuKEZxtlAb32B51vk82bXtw27yUe7w1/dZpwg3dWLYFx33rSflGDVu7f0madbVh4W+1N65jUxWR9QGOMqVNY7ZcwkcdMbOyOtujrlu9mZPPxpy7ZyuwbS2xbuJTjs2qlNzo959npPRvZc9pXEzdM6b0NaRreLZTpbx7OBkQhKTSvwjiXLmNeSk+GXMVynFFTiqwOv3iNyRqnLvjhqbkVTG6rCH2XWSyTiHXVKuvX7FGPnkBbq2suUCg5NX7TFPGYLd0oLkRBQCgBwDNwaTqVnV9Os6jY2W7sa08jWyUfekmvPQ83/ABE6J1Hw6611HovVWpZeBfcONKiuW5RVyzdS7FctThOnZxUe1GJ3nEeYcz8sHgTtzlO3ho6z36PPC0LTtVlzKFiJ/a94cqR9ZLMkRdMnTmBrzVF3NSKCCyThywjFkkjkUOU5fonCzTxxl93crvMmg1TlL52+298cwOV21oFrcX+t5La9ooepOPcfa2qEqjrmiVvX7mtuYmRjWyjdOWTYuWkKV42BJsyAEjuXQGyPhZ5MGvfLq5DROxeHfJPkXRuNr+t22D2Fwovt5lNp6Qk5OZIZ7XLhr89hfpTOv7LAWA6jl0uqMuvIpuFE/FblMoCoGRPIjzYeCXE3edv4+cjN1M9S3mi8dU+Udje2mEm0Km31W4u5ddx/s+wtmTlCdukxbVCNGEAwI5lnyhylboKHMUogWL44+e95dvJDdczx5aX3YWjttx1RsOwoircotU2/j8e5a/qkRIWKfuVVkL+zj41aKjqvEu5UyL1Vk/NFs3TorcUGjs6AFF1n3iDywbNuig6fDZmy63GbasytO1HvW76S2TTeOm0rInJEhQZ0fbFhg2EXKxq0uoRuSVMklDCZQhvWwTOQ5gMafe0/+5b3L/8AlzQH/wCyonALyXr3iTyydBkCrzV92zsGsaxUrFB21uzTOjth7Q0Dq66KRlfSUrFo27XIpaqyE01VmmyayEKrLKJOFPVzB6yAogBsi5AbT1/ufy99+7e1Fc4O+652BxH3HbqNd6rIJyELYIGV1NZ3cdKRj1AQHunIb6xTARVFUpiKFIoUxQA1V+6pmMPkgcVAEwiBLVyNKUBERApR5GbRN3SgPoDvGEegfCI4Bjp5r6qhfeGvIFKVQ5Sh/pE9AA5gAPGhBTV6AA9A8VMAKb74odB7MA6scAYAwBgDAPy7POoosxd/NL5bWaWfu2FogNuOI2NVcEMsg4rDaq1ltXGiyZhKoRAkGmgZA5B+qUw9ggPZ196h1W5i6/qGNfjxWZ3t25qkY8LXvU2M9iPB3oHC13wh6P1nSrvI1DF0x0klxQm53rsrsZpUaauudJJ1TbTT7NdiUJa2xAIqm2c90OneRddAMAfD3VipCHX6c428nEk6qqr5v6G7IaT1HYjwXI27iXbGfwSSZ9DGTo9ho9QPj6HQEPi9IK+jJV/HW6S9ZP8At+sP+6xL0x/qeSlelHaZkV48xk1A6GA6iIdOvZ1D+E7DB8GSsq1F1Utvvlu5ouoZVt2r1h8D8rj/AFLOzOjJmYFXu+pMyiY3dUXXE4gHUehu4gmqb0Z9qxr9ix3n5qf1NV6t4Q6nqjklyrSbdHKVaeTZFM8YvTyOtadcnyj/ANp2qYZM2jKQQQUQGMbtpePkxbRKQnMsLp24Zk8VYRAfDJ3ClKAmE0ZeuPU8i1CMeDDt8TabrxNwkqyfkSexeV18lLnT3hVZ6E0bPzJ31k9R5nJtwuRi1yoRyLV1wsxbb45yhHjm/wDBcKik5N/sW8dXM694+6KeWgVhszvTesXNiFx3vHGdXpMGrLiv3vreMMgdTvde3vdc3/pznLT7Ern/ABHZhX3eFV9Z5BdZQxrXV+q28On6SOpZKhTdwK9NRp5uGlC8mZhxsYAwDXB5lut31t1HWLkxbqOg13ZlHEummQTijA2RsnGu3xgDt8JpJN2ffH0FTOYw9AKI4Ko0rtOe/benaDtOnTFQu8AWViZVNEFlGpyMpVsq2VI4avGEmUgrNnLdYgGKId4o9oGAQEQyxk2rd+27N1NwfkdPWfW0jUcvSM+Go4EoxyrdaVSkmmqNNPemn7vkLe691DqrWlXiaNXKmRCFhSLEbqvnSjx+uq5XO5cuXrsRSFw4XWWMIiBSlD0AAAHTIx7du1bVq2nReXa/fZRquZk6pmzz8xx59yleFKMUkqJKK2JJL+pctGq0MoAYIhiQfT0MBz/L6BUEMv0ofNcaEtc1nXLVRV2MFBAuYwqHWNGs1FRN17TCoqmY3X5euKdhQ0jHPeNbabkjYHW0Z48dBrTq8rOS7FBJRVnEQkQ7KYjZNQAbgZzIyLVuTr2fXMIAPdHCJSqz+0GCY6dgUa1UWyqTQi5nDt08W9YkJN4YpUzO3y3dIAn7hAKUpSlTTKHQoB29ZezcVv4qoi6Lbar1IoFXKbr07enb9gR+fIKKk7r9guWw7FD06lw0hOWCwPkY+KjY5uo6eu3Dg4FKRBukUTmEvXqJh6EIUBMYQKAjggvNuHhJvnVD6alLlrqedjLHYru7DBNlLLBerx8egyjWftSHK7SQ9TQIYxgWBI3jKqCAdBDJ2FWymwxE/JSabvBTSjHpVhMJQImgv4om69ADwu53xER+TrgpMtNH8NOSe55JkjXqHYY6CXVIDi1Wpq6rVaaI94PEXF/JJJLPwTL2+GzScKm+AvbkUJN4tU8rzSTLWTKp2+Sn5e7Ac717eYZ6aLM2eLoETUYxcQ6K+jjRCIkDp6wmo4VHqYTkAQIWRWm4shK+T7CqPRViN0Ok2gm6lTk6Sgs6IXr6BXZ2BqkqYPj8MnzYFV5C7uuPKv1BVnjd9dbdZb0KBiKezG7dtVopY5RARI59UXkJVRI3ToIJukRH48A2RVSoViiwbKtU+CjK5Ax5O40i4lqm1apiIAB1TFIHeWcK90BOqcTKKD2mMI9uCCo8AYAwCTfnB+Jvw3Mn+H+b9Utff/M+EnOYxdGAMA/H393I4O8bPMG8xYnH7lXR32wdVjonZ93Gvx1uttJcflJW3tTRh3vtqlTUDNeG2TlVwFHx/CU731ij0DoB+jJxX9308qfhfvqg8mOPfHmcqO49Yrzzmk2WS3Tuq3NIhzZavN02WcGr1qv0vXpBRWvWJ2iT1lssCJ1AVIBVSJnKBxW++p/96ZoP/mA6s/6xPKnAO2qd8jryi9raSSq1p4EcZ620s1FjiyduoGt63rK8RCrmDROrOQ98pjSDsMNJNFTiuCxXHhicv8KU5O8UQOFz3W+83fSfnnSOg9G3ST2BoHYcPyR17sKcjX/SrW7W2q4K5WrVW130U0cOIZ0+Vt1aiW8c7J31GqFjcpIKgi6XKqB+pfgHIr71J/yEv+k//wBnjNQ+Kv8AA/P/AOSejn/5/f8A23/pf/cSmuI/u6mn9/cf9C74tvJDZUWntrV9K2HLVOuU6rtjxa1rgWUwtFR0/JvZUp0mZ3YkKqqxMJwL1EoZRpHhzg5+n4+feybq51qM3FRjs4knRN13V8hkeIvtp9VdI9Y6x0lpui6fP/btQyMaF27dvPiVm7K2pyhHg2yUatKap5TpO4c8FOOHBShvKLoCnqxRptRo5uF0sL0s5fbw9YJKJM3NmsAtmhFEmZVlBQZtEGkc2OsqZFumZVQTbJ0fQtN0LHePp8OHi/uk3WUmu2T/ANEqJbaJVOkXiV4r9beLGrx1frHK5rtJqzZtrgsWIydXG1bq6VouKcnO5NKPHOXCqcht/aNXvvITNu9bN3bceYuuVRQdIpuERVbQtXct1BSVKcgqIOEiKEHp1KcoGDoIAOajvpS8S0pJNfq4f+mJ6MaPcuWvYelO1KUZ/wDx7JVU2nR37qaquxptPyptPYdkPMuPsUtxA5WRVQFQLZJ8bd5x9XFEBFYLE81haG0IKQFTWMKgSSiXd6EOPX4B9Gbj1iN2ekZULH/GeNdUf/E4Sp6zzV8Nr2BjeIugZGqpPTLetYMrye7lRybTudq/wT7V7qOVr3XKfq7XcfK+sPHbNO5TWttczNeZqKJFfOq7XbNYWdsWaEMcFVG7WQskOC3dKIAKifUQ7OuqvCy5aWXl2pNc6VuDS7aJyUvQ5Rr7qPQH2+sPPudPdOZ9qM3plrMyoXJJPhVy5bsyspvcnKNq9w1e1RlTtNjfvLNhqzDgbSK9MHaqWSw8iaW4qDM5EVXhF4Sn39Wbl25TmBVBuyiXxmqqxAESmfppj2K5yPxLuWY6BC3OnMlkR4fdUZVfoqq+enaaT9h3D1G94v5GZi8SwrOjX+e6tJxndsKEH2Nu4ozUX/7bl/iX+8gSDnIbyxNMKzSblFGctO2pyBRdesFMSDcbHsTNBRJFwQgItnj5i4cJ+H1TUIqCoCPfHPodAQnDpexx1XFK417nHL/Xf6zh/tfZWLlePOrLFcZO1ZxITao/jxxbTabW9xTUXXanFxe41x+98wVhT8vjjhthrWlbfRtEc8tLbH2jCFVbA2/JI1N2jV2rqQQfd9ouzfWSwMoftTWMVWXJ1TFIVRLzM6ym/wB3tT7XzI4xRBeL/K218c1toRtB2HQuRGp4Kq3WWUpciWPtDQYaPtJHEA9i7jAuSEMqPUxUVu8QeuAc8HHnYfPjiz7wXpvy89weYPuLl9pG8cN7dvWYbbMo+tKkJrCv+kVhFsyNqjCFXISEc0RFwksR0mdQVzkOUSdQMBH7w07rDcXvbuhUNo0mv3tprryyWG06dH2VglKRsNsGr7X2e0rVqTjnIHZOJWvDMrLsTqkU9VeAm4TAq6KShAKc95i0RqPbXMHyEW+xKNCWlvsDzCKXoi8N5FATJWzUewNoaMJaaNPlSMmMnCPieKUiaomFuDtz4Qk9YW74GTPvV+vqQPkf7sTTqsC2Q1de+OUprtqzimTNnTHgbcp9CKpW2jZFJvDlTp1pfxxCIFTKVo6OmAAQRDALYe8zST6Z931cy8o5UeyUq+4hSUi8WEBWdvn1gqjp25VEoFKKi7hUxjdAAOo4BvsovFfjrC8K4jidHaxo1e45vtFk1vJ68CGjhqQ06aqAR037WaviKISTh6i5VcvHjwyjhy5MdwsqdUxlBA5dfdvLxdLZ7uFzCgbSg/Rg9YzHOCj63UeJvCN3VLf6JrmyXy8UZ0UEFmBdibCnkjGbdUQdJrFEfFKqAAY1+Q15MH+mB5YeiN+//wBKPM047flfP7kZ/om448kP0eairv5L7ivFY9ZrlU/JqR9nuZz2T68/N4xvHfOFVOzv9AAm22/L8/0BPP58lCu/6XHMDln+kab3LNe2OXW2v0rzNN9g1iSY+zaW89kRPseMlfaHiu0u6fxVUUzdQ7uAd4WAMAYAwBgHGH7x9wUslb2pE87KLDLyNCv0XXaNu07FAyv5IXmBbpwlMt0mRIn8BBW+BTbRSjg31EJBgiVQwGeJhmlPEvQbtvKjr1iNceaUbtP8ZLZGT80lSNexpV3o9QvYd8WcDP0O54RavdUNXxbly/g8TpzrFxud6zCu+5ZucV1R3yt3JtKlqRy3qfUAeztD4vkzVND0AuR4F5yBM6KHXqH+HxZc5fnMKWRFPajyF+kHTt/X/ayrlPzlp5cDyO9KIfV6D8wfD2/r5WoMtXMmLXxUbAPKy4JWrn7zBotJNHOjai19IxV+3hYgIckfFUiMflXLXfWu6ZP29fnTYYxkiHVQCKLuO74bZQQ5V0zo09a1CGFBP9NFqd6XkgnWnuza4V773JmgvHXxLxPC7ovJ6kv3I/73et3LGn2v8p5U4uPNpv5eNGXNuS3VULdeK5E/TgRRSbpJIIJJooIJkRRRSIVNJJJMoETSTTIAFImmQoAAAAAAB0zsckkqLceKUpSnJzm25N1be9t9rPTBAwBgEBKRcdNxr+Hl2TeRipRm5j5Fg7SKs1esniJ0HTVwkcBKoiuioJTAPpAcA0e8m+Cl8ozmRsWpYx9dqMoKrkkQyAz21VxIe8oZmqyKAuZuPbl7EnCAHXAgdFSdQ8Q73S6p+XeamLIg9jXbls9YuGb1A5iLtHCajZ0ioUehiKoLFTVTOU3YICUBDISS3FdalsH8k/8AreEKyQdezvG6B8Xp69BySiS8he3SXE3kLyTlmzKk1SUSriq5E5C8T6TqHp0Y3EweKqeVXSAZNZMnaDdmVdc33vTtyC3Q6AKT5ZHHevahjNdzce/l7UmBnkzsxg4NFWN7LuEy+ODUg+tskoJucoA3ZrJrFIUO8IioY5xkJ0MTbz5NxpB0qpTNzNSNDnMZNtZ6oqDlIgj2EO9iJXw1zFD7oG6fX4gwVcSaJZU/JYSB0mped2lFkU4CqzqdTMDpYgGARISRmpVRJuYwdfrC1U6fFgp2G0fj/wARdFcamhw1pUU0590h6vJXSdVCZt0il92ieWXTIDFof7pBom3QN0DqQRDrggyYwCBCMjQW9YCPYg4697xwaN/G73p6+L4ff6/TgEdgDAGAMAYAwBgDAJN+cH4m/Dcyf4f5v1S19/8AM+EnOYxdGAMA4x/In9295d+Vrz1nOT27N0ccL3rhrqzYutqxG6tl9mvrtMHtsrBqxkxPRFt1pU4KuFRj4MDroN5SVEiywpkUUKTxTgdnGAcfXvDPu83LXzYuWuouSXG3bvHSoRdQ46Qej7TVt4Tmy6s/Sf1bZezb7Gz8BJULWWzm8wzmG+zlW66DhKPOzPHlMUzkHIg3A1+q+7h+8ZbLj/0a7x84hhLaYn2asJcYBXmjzp2pHuK+ZkqgWO/Rrb9d1Oq2RmqIERM0dP2qAImMPU3dBMwHRB5MfkHcdPKFjrLeI22SO9uTt/gE6xb92z8C2rLODqh3LCSfUfWlRQkJk1YrklLxrdw+Xcvnz+RVaoidVJFMjcgG+fANG/nSeWJu3zHGXHNTSl11ZVJHTTra5J1rtKTtsOylWWxktci0cRL+p0+6L+tRi9DMVRFZsmRQjoDAqApiU/Butel83qSOM8KdqErLuV43JJqfBucYy3cG6nbv2Ha32YPHjpbwTva1HqjF1DIx9TjicEsWNmcoSxnk1U43r1hUmsiqkptpwpwviqto/FDUExx+4y6D0dYZSMnJ7UupaJr6ZmIUHRYiSk6rXWEQ9exgPkW7z1Fw4amMl4qaagkEO8Uo9QDlOlYc9P0zHwbjUp2bMINrc3GKTar2bDQPiB1Hj9Ydc6v1ViW52sXUdSyMmEJ0c4RvXZXIxlw1XElKjo2q7mZA59A4gc4Fh8nLkVL+bi055tth6WJptPdtb2otXl5i8l2aWPhIKNaLRSUGnQlKqo8XkY/uFOM2QgIn8QfrB4Q65udHajPq9a+rln9FzlOlZceyKVKcPDvXe3eg7q4ftJ9GY/s4S8IJ4epvqd6bcxlcULH6Ws70pqbuc9XUlGW7kN8SpufEuj05CKEOmoQp0zlMQ5DlAxDkMAlMQ5TAJTFMUeggPYIZsY6VptOq2NHJ1yD8g3kdqbkG+5DeWnvKD1qLmclp+Gp0vYp3X1j16acVdKv6zULJX4WXiZ6lAk4FqkxkSte4xEG65nYAY5tUah0DqOJqL1Lpm/G03JtRbcHCu+MWk049nDJLZsdT0H6O9rvovqHoyHRXjppN7UIRtQtyv27cMiGRy0lG7et3bkJ27+zid21KTc6zirdaFNMfI78w/mDtSr3PzHOVMVKVGrgmyKzgbTKXq5+xDOElpOGqEYetQFBpXtoGpPHfk9YUFQCqKtVzEAMtLofqLWcuF7qXLjKzDsi3KVO1RXDGEa9r2vyp0M657VXg14a9PZGl+CHT121qWRWTldtxs2eOjUJ3Zc27kX+Cr4bbcIpNqM48TOrrXev6jqmh07WdAhWtcpNCrcNUqrBsgEG8ZBQLBCOjmpTHEyixyNm5e+qcTKKnETnMYxhEdrY+PZxbEMbHio2LcVGKXYkqJHn3rGr6jr+q5Ot6vdlf1TLvzvXbkt87lyTlKT91t7FsS2JJFGchtAan5UaR2Zx33nU2t31Nt2qSFOu1adKrtRexb4CKJOmEgzURfRE3Dv0EXse+bKJumL5ui4RORVIhgvHzTmz1L5afnw+WhFKaX8uLm3xY5JcSI5RcutdW8/K5fGV403HrO3jokDWbHqyAeHmogfWuqpRlI2NSVIUWcQ28RcTgXu4S+VL5ganmSQXmreZdyc4/XLeFV0rYtG1HS3GLXlgZa7hKhMe1/ZRV73bm9Um3Joc1nlF1EFoh85WdOyh7SFugRM4GWkx5eO5ZDzy6r5mqNp1kXRMFwTccZHdRVl7UG2lNgrbCsloLKN4MtOPTjU0IqYSAXJp0j31gpiep9wAVEDw80zy6dx85N+eVftPV9t1nWa/wb5uULkttVnfZO0sJmx0ip2ygWR5D6+b16pWVlJ2pynTlUkkZJxFtO8sUxnIAAhgFf+dXwY2x5j/lz7s4i6Rseu6psrY01qeSgZvasrZYSjtkqJtimXmXTl5Oo1O7z7ZRxDV5wRt4MY4A7oyZDimQxlSAWt82/wAtvc/PvytUeDepbhrCrbPIrx/A9n2LJ2uNoYI6sla+5sihXtaqFqsJlXTSMWFiQY4AWU7hVTIFMY5AMKNi8GfeEarp6Y4H6E5rcNtg8UZyryOrYLlZv+t7diudtD01MJvoNSsSbqmt5vWd3utYorgsazsYtm8nKuEyuVF4xc3jpAbR+NflrUbhx5ZMp5eWiZs0gCuk9uUgb9c/EaKWzZu2oKyhYLzZU4tCSWjI19aLEY5Grcjo0fGJJN0/GFEDHAkPkqcGNseXB5c+k+Iu7rHru17K1zNbYkp6b1VK2Wbo7lK97Yud5iE4iTt1TpE+5Ubw1hbkc+NGNwI6KoQgqEKVU4Fqebflubt5Keah5YfOKj23VkRqjhZ+lf8ASpXbXMW1lsKe/LeN9WhP0fxcRSputy3hOBH1r2jLRPhE+sn4w/VwDdbgDAGAMAYBTVyplT2JVLDRb3XYe3U22RL2CstZsDBvKQs3DyKJm72PkWDoiiDls4SOICUwdg9odBABy1fsWcmzLHyIxnYnFqUWqpp700Z+l6pqOiajY1fSL93G1TGuRuWrtuThO3OLrGUZKjTT7UciXOr3bO2tJWavvA61x0xAPFlnv6BdlTQxsxCiqYDmYUTYj4VI+WjUzGMCDWcFsuimAFM/XHpmntd8M7sbjyNAmpWnt5M3RrzQm9jXkU6Nd5npH4U+3Lp+TiWtG8X8edrPjFR/3HFt8cLlP8sjGjSUJv8Aynj8UZParMDnm2h5fvOTTrxyz2LxM31C+rKnTPIsdcWC1QKvcOKYqNbHT2k/AOkhMHYZNyYBDp8ecAydB1vDfDk4eRGnbwSkv/NFOL9J270XxZ8Lep7au6J1Do1/iVVF5Vq1cVfLavO3ci/M4IoCn8PeV+w5BOMpHGLkFZn6qgJEQi9O7AUKBzCAACrhWASati9R7TKKEKUO0RAMt2NN1a/LgsY2ROXmtz/pQztT646A0ey8jVtd0bHtJVrPNxl6Erjb95Nm4niH7uXzF3VLRczyMUjeMOtTGRcv0ZN3FW3bMozE3U7SHqMK+eQ0A5VKHdFaWepqNxEDeqLdO7nMdI8PtczpKeoUxMbtrSVx+5FNpe7J7O6zrd4ie2L4YdK49zG6PdzX9cVVHgU7OHF+Wd+cYzuJd2zBqW7mx3naFxK4e6F4Tanj9P6Ap6VaryKpZCdmXqpZG3XafFEiDiy3OwHSScTUw4IQCl+qm3bJACTdJFEpUw3JpGj4GiYiw8CHDDe29spPvSfa/UtySWw80PEPxI6t8UeoJdR9XZHOy6cNu3FcNmxbrVWrFurUILe9rlJ/GnKUm5PJ/PqHBBgDAGAMAYBQlq1fra8iJrnQKbalBAA8awVqHlnAAX7UCuHrNZcoB8hgwKtFIxHG/j/AuivojSur2Lwhu+m5SpFdFZM/p7ySikecyZg+AS9BDBNWXkRRRbJJoN0kkEESFTSRRTKkkkmUOhSJpkApCEKAdAAAAAwQeuAMA/giAekQD58A8zLok+2VTL85y/t5FewUZCHlY9P7Z0l8wG65JNGQKthjyde6umPT5f2OwcirJUWQB7SzDr0XTD5ymH4fkyNpPD2MhTXBqX/Lt/mEDB8XyZO0UifSd0jzD0MdIf3Jh/ZxWu4ii8pNEbLGqh2KdPm9GKkUIsJuPH/LBiooexJRkfp0WL9kP28VIoRZF0VPtFCm+YcVQPXJBJvzg/E34bmT/D/N+qWvv/mfCTnMYujAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAOoB6R6YBDKu0EQ+uoHZ8uQ3QlRbJYtPskuv1gN0/xyh+3gq4GSV1c2yAD3SEHp6BE/X9YcecngXaU262MQneAPCJ0/wAYA/VEcpb7GOFIpxzsIp+v8OQB+LvgIfr+nJ8/YTu9wp15ezG691yn8Pp/1BxuI4qFIPro8OI+Gsj84mH9vKauuwp4mSI1slxH+VNwAR9PeEfsfZyKirP4NpkunTximEfhKHp+bqIZVxLc9pB4GtEmbsABN8v6mU8VV5wRLewzBjB0IPb06dgftfDjia2gqpjJTS3dASqfZ9AfZ6YqwVgxRl1u6Jin7fhEw/rfLirBWLCLkTCAmEwfD29RDt9OTXt7QVswjV0wATmN19I+kenyY29gKkSIJA6CPX/AO305WlQglf5wfib8NzK/h/m/VLX3/wAz4Sc5jF0YAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAhVXIpgP1B7Pi7cpcqbypRqSF7MCkBugqB0+IvT5vRlHFLs3lSiih5GzKkE311x9PoAcVKtxSji0qmEwAVyb09olN9jr6MqUtte0mpT7uxKCA94hw/denJqQUk+mPE697vh8wj8foyHLZsIbKWcOElRHqCw9fT9cfmynftKXuIQEQMP8ABpn6/GJjG6en4/kyOIhnmaMdq/ad8OvoAAHp09OG2Qf0lXklxASgp0EfiH4fg9GR/qCdM6HJKGL1Kp07PjwCsWOuXRhL3ynH0dQ6dv2enTJ3bAVqw1l9qJ0R+n6MeYFYM9dNkunVEnwen4P8AyaekFTtac1Q6fwZA6dPgDrkpOoKgbw7ZDp0IXs+QP2umVcNXt3EEzIimn07pQDp8gYUUvdB65UBgEm/OD8TfhuZP8P836pa+/8AmfCTnMYujAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwBgDAGAMAYAwDyP4vQe73fR8vXKXX3iVTtJM/9e8JT1bwPWOzuesd/wAH7Yvf7/h/X69zr06fD0+DKY8PEubXg82/zbyt14fi0r6ikHPt/t7/ALF69vXr67l39n+J9Eo+3+R6ynXXtbqPe9h/J/K/i+XJX6Sv3n0SP3HyPWU069o/W6+yOnb6PW+nT4enTJf6L8WvzR9v8mvvlLO/H6j3/ZP0etfT0+XIf6P8X6I+3+T6ynF/SPX2V6f86/Ux+y/FpT5JH2/yPWeSfqveDv8Asz0/516Pkx+z/E+iPtu3gr75P2fqXUP+Kvp9Z6dfl+jH7Om3mfRH2/yPWVYy9U7P+Jvg9PrPT/Drkr9F2831ELn1/wAPWVYz8DoHd9i9f/e8n9l+LT5o+2rs4PWVI373QO57E/rf7Hw5K/R/i0+aR+4+RT3yeN/XeoeF7D+Tr65+x8GF+g7ebX5pH7j5HrJkX250Du+xOnwdPXP/AA5cX6Ls5v0SPt/kes+/7wf2N/Xcfs/xfoj7f5HrH94P7G/ruP2f4v0R9v8AI9Y/vB/Y39dx+z/F+iPt/kesf3g/sb+u4/Z/i/RH2/yPWP7wf2N/Xcfs/wAX6I+3+R6x/eD+xv67j9n+L9Efb/I9ZKf/AK/7e/8AsvX2R/n/AHunrn+x6dfpzJ/afpPvacz5PdLX2/P/AMP7PP5T/9k=" + + LogoSvg = "" + + EA = "data:image/jpeg;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAUAAA/+4ADkFkb2JlAGTAAAAAAf/bAIQAAgICAgICAgICAgMCAgIDBAMCAgMEBQQEBAQEBQYFBQUFBQUGBgcHCAcHBgkJCgoJCQwMDAwMDAwMDAwMDAwMDAEDAwMFBAUJBgYJDQsJCw0PDg4ODg8PDAwMDAwPDwwMDAwMDA8MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgBgwD6AwERAAIRAQMRAf/EANkAAAEDBQEBAAAAAAAAAAAAAAADBgcBAgQFCAkKAQEBAAMBAQEBAAAAAAAAAAAAAQIDBAUGBwgQAAEDAwIDAwYHCQ0GBAMJAAECAwQAEQUGByExEkETCFFhcSIUCYGRobEyQhXBUnKCIzO1FjjRYqKywkNTcyQ0NXZ3koN0JRc38OGzRGOTJvGjVIS0VXUnGBEAAgEDAQQFCQQHBQUJAAAAAAECEQMEBSExQRJRcYEyBmGRobHRIhMUB/DBQoLhUnKyIzMVYpKiwkPxczQ1FtJTo7MkRCUmNv/aAAwDAQACEQMRAD8A9/KAKAQkyo0KO/LmSGokSMhTsmU8sNttoSLqUtaiAkAcSSaA0uJ1bpTPstyMFqbE5qO7xafgTWJKFXF/VU0tQNAOGgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgCgC9uJ4UB5++JL3jew+wRnafxM/wD6qbixSWl6S0+8hUeI703Ht+Qsplmx4FCOt0drY51Kg8BvER4z99/ErIkRta6kOF0WtSTG24wJci4hPQboU+kqU5KWCb9TylC/0UpqVBDbI7iymLsL4HqbPQb+lNqgJN03vRvFo4o/VXdfWGn0t/QahZuc22P933pR2eSqCZMB45fFnpx1LsTe3NZAC12cszCyKDbyiTHWfiNKgnbT3vUfE5iEBGYh6N1XYWLszFvxnD5yYcplH8ClQTHpz3vmsWFITq/ZPD5JH847hsu/DV8CJLEkfw6tQTbhfe6bQyVtJz+1uscOlX552IvHzkoNuNgZDClD4KVBN+nfeX+ErOge2azyulnCOLeYws5NuX14rchHb99SoJl014xfC7q1aWsNvnpPvlmyWZ85ONWSeH0JwYPyVQTbita6NzobOD1bhcyHgCyYM+PI6geIKe6cVf4KAc9AFAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFAeYPvZdY6s0h4a8J+qmpMjps6j1nCw+ecxshcZcqA9AnuORXFtkK7tam0lSQeNrHhUYPmUShKAEpSEpHIAWHxViC74bUBJI5D0UBWgCgCgCgCgCgKEBQsQCPIaAtbbbaWHGkBpxPFLiB0qHoIsaAkrTe8e7ujlIVpTdTV2ng39BuDmpzTY7fzYe6Pkq1BM2B8cfiz066l2Jvdm5/Tb8llWoeRQbeUSo7h+WlQTfhPel+KPFoSjJDR2pSnm7NxDrK1en2SUwn4k0qCatN+971owUJ1hsrhsmkfnHsNlpEJR84bksSh/Dq1BM2C97vtZKeSjUe0urcK0fpPwZEDIW/FW5GNKgnXTvvMfCXnQPbdYZfSrh5t5jCzU28xXFbko/hUqCZNOeMnwtarWlrEb56UDqzZLOQmDGrJ/BnBg1agm/E650Vng0cHrDCZoPAFkwMhGk9YPLp7pxV/goB00AUAUAUAUAUAUAUAUAUAUAUB5O++H/AGbNE/6i479G5KowfNzWIC3moCShyHooCtABIAJJsBxJoC1K0KF0rCgeRBvQF1AFAFAFAFAFAFAFAFAFAFAUIBFiLjyGgLUNttKC2kBpYNwtA6VA+YixoCRtO7vbtaR6f1W3R1dp5KfotwM3OZQPxEvBPyVagmTTvjb8V+mFpXA3wz85KTfusuI2USfT7ay8r5aVBNuH96L4qcaWvb5WktQpbt1+24YtKcH74xJDAHwAUqCbtN+961zHUhOsNl8HlUC3eO4bKSYKvOQiQzKH8KrUE0YP3u+18l1KNR7R6swzRt1vQZMCfby+qtyKTSoJvwfvOPCbl0JVM1PndNrJALOTwcwkX8qoiJKf4VKgmnTXjN8LOrFNt4jfLSzbrtuljJS/sxfHsKZ6WDeqCa8PuHoDUK0tYDXOn844vilvH5OLJUfQGnFHtoB4Xvy435GgCgCgCgPJ33w/7Nmiv9Rcd+jclUYPm549tYgu8lASQOQ9FAVoB97WNNP7o7ZsPtIfYf1bhG32HEhaFoXPYCkqSoEEEGxB51UD0m8S3iC252t373E23yHhM2q1nhNNTIzUXIu49OPnuIfiMyFd44y0tskKdIBCBw89WoOTN0t4fDjrjR+Vx+jfC3H2u1zKLBxWqsZn5EiLG6HkLeCoS0NoWHGkqQOHqk3qAdfg28NGj/EmN38ZqbNz9O5PSmGgSNJZaM62iM1NmuvtJMxtxtfeNdSEXCSlVr2NzRIHJGr9J5/QeqdQ6L1TBVjdR6Wnv43MwlX9R9hRSSkkDqQoWUhX1kkEc6gHxshs9qDfncfE7ZaXyePxGbzMWbJiTsoXRFAhMKfUlZZQ4sFQTYEJPHnVBHKMPNdzidOsJS/k3ckMUwhKgELkqf8AZ0gKVYAKX2m3nqA6bzvga8WWnwtUrZXMZBDZIU5iX4WRHqkg2EaQtR5dgq0BAmrtt9w9AKZTrrQmoNHe0uFqMvM46TCQ64kXKG1vISlZA42STwqAZdAJh5pR6UuoUr70KBNAKUAUAUAUAUAUAUAUAUAUBQgEWIuPIaAsQ002sONtpbcT9FxICVD0EcaAkXTm7W62jyP1U3O1ZpwJ5N47NTmEf7CHgn5KoJj0/wCNnxXaaWlcDfHUM0JN+6yxj5RJ9PtrLx+WlQekHgT8au/W+O9rG3O5GWw2XwKtPZLJKkRsW3Dll+KpgN3cZWEW/KG4CKqYPZmqDyd98P8As2aK/wBRcd+jclUYPm5rEFfKBe9ASSOQ9FAVoB/bUf8AdXa7/OGC/SLFVA9LfFp4KvEFur4g9z9wNBafw+ewGdmRXIDQzUJiZZiDHZWHI7y0KQeps2BPEWPbRoHnZursZuxsjLxULdPRcrSD+dS+vDF96M+iSmMUB4trjOuj1C4m97c6gOt/BC6/H2s8bUmK+5FlRNsUSIkppRQ408yme424hQ4hSFpCgRyIqoFN9IcbxQbEYLxV6fYbO5u3zMXS3iLwscEuPBlIRCzYbSPVSpPFRtbpNr/kTQDV93J+1toP/wDi89+jnaIHLmI/7vYr/Pcf9LpoDsTx17kbi6T8Wu6sTS2v9SabiIOJUiHi8tMiMpJxkYkhpl1KBcm54UYOPtY7vbpbg4nG4TXu4ee1liMK+qXioWamuTEx3lILanEKeKlAlBI50B2foXb3Z3wz7PaT3x380cjc3c7cxJmbSbOTVlmHGgI4jIZJCgoKSoKSv10KACkJSgqKlJAa6PHJJyUv2LWPhv2f1DodwlDuko+ATBdbYVwKY85KnFIWByUUHj2UqDR7ybJ7a6h2wb8SHhtdyB28YmN47czbfJrMjI6RnvW6CXblTkValAJWSbXSeogkIAYfhO2h0nvlvDH0DrWdk8bgHMBmMq/MxDjbcpDmOYDyOkutupI53BTx81ECRUbS+CrU8tqFpTxUai0jKlqCIp1ppVwREqVYAPS4xZQ2L81K4DtNWgIB3o2X1jsVrNWjdYiJKVJiN5PT2oMa6H8flca+VBmZFdHNC+kgg8UngewmAaGi9C6z3GzsfTGgtL5LV2oJI6m8Xi2FPuJRcJLjhHqtoBIBWshI7TUB0xmvAN4r8Hincs/tarIojt97JxuLyUCdPbTa5vFZeLiiPIkE1aA5GnQZ2LnTMZlIUjG5PHuqYn46W0tiQw6g2U2604EqQodoIvUAg827GS25JZcjtvJC2XHUKQlaTyUkqABB8ooBFLja/oLSr0EGgL6AKAKAKAKA9FPdcftVRv8AJ+a/jxaqB9JNZA8nffDfs2aJ/wBRcd+jclUYPm6HIWrEBf4/LQElAcBWVAFSgH9tR/3V2u/zhgv0ixUB0T46507H+L/ed/HzpOPeGRgEPRXnGF3+zInHqbUk1WDlXM6p1RqNuCzqPU2X1C1i0rRjG8pOkTBGS5brDIfWvoCukX6bXsKgO8PBL/2n8cX+lh/9PIVUCBPCvvi3shuUxL1Cz9q7X62jK05utpp2648vETAWlvLasQtUbrKxwuU9aB9OiB2zsBsa7sP7wnSemoL5ymhs/hc3nttNRoutmdhZmOdcY6HeIWpi/drIJvYK5LFAeauI/wC72J/z1H/SyaIHp74xGPBXP8Qe4Mbdifuhp3cdswBmsnpxqHLxbgMFkx1NNPBaxZooChYesDVYPNLdXDbPYzUeOjbPayzusdIzIbbmTn6ix6cbMiyVvLQ4x0JAStKWglXWO0kdlQHUPvGp8t3xERMGXFfYeltE6dg6XYvdtERyMXlKR2estRuR5PNRg4NqA7u931NazG72qdns02Z2jd6tF5rB6ixSyS0pyNHVKjv9H0etvpWEqtcdXCqgJe74jKieJt2EpRcXD0fq2OpXaotRCgn4bUQOEluNtEoeWlpYJBQv1T8RsaA768U8Z3FeGzwSYrVDSo2vomlcw7KiSUlEtnCOPtGAh5CgFpHSAEhXkV56MDn1ZrOb4TfDXtfoHbd9en93fEFhUa03M1wwkN5KJhpJtBx8V9PrtdQ4Ag3FnFCyl3DcDgvF651vhMyNRYfWmexeoA53v25GyUpuWVk3KlPBzqVc8+om9QEgbyb6at30c0hk9dY7Duaq0zjV43J6ygxERchm0951NO5FTdkLW0gBCSEjtPbaqDubdjxIbn7KbN+EPAaIdwTmG1HtTFm5fHZvDRMqhx5p0NJIMlBUkdBtYG1UHI24viazG5+jMhpLPbT7Z4mdPfjPjWundPN4rLtGO6HVJQ6y4U2dt0r9XiCalQc01AFAFAFAFAeinuuP2qo3+T81/Hi1UD6SayB5O++H/Zr0V/qLjv0bkqjB83Vvg8lYgp2/DQEljkKzBWgHFpDON6Y1dpTUzsZU1rTeax+WdhoUEKeTCktyC2lRBCSoIsCRwoD0E17vx4Ft7tYZvXe5ezu5mn9WaldbdzGYw2XYeQpbTSGEEMmQhA6UITyb42qUBDOu8L4F39Magm7aa53TgavjwXndN4LP42K7CkzEpu0w8+y31ISo8Crq4c6NA23hQ3H0LobbrxaYbV+poen8przbtWK0dDldYVkJobmjuGilKh1EuJACiOdQHE6R6oB8nGoD2c93Xuzg9xHNFbX64lJ/6gbIO5DJbSZqQoqek4HJRlxMji+tRH5guIWlNz6gTYfk6yQPKXD/APd7E+X9e436XTUQOkfeGX//ANe7sXFv8I/RcWjBxWtIWlSDyUCD8NQHozvDh5vip8P23u/ujWPtrcbZrDM6M310xCbKpghxOpUHLoaT6y2+jqUrpHAKV/RKqg85kqStIUhQUk8lA3FQHol4IcCra7F7l+L3WcRUPRO3OnJ+K0U49+TVmM9kQmOhmH1WDgTfuypPDqX+9VaoDZ93bLkDxOsZAqAmfqhqmUV2uO99k7y9jzHVRAkLZXx6a3z26Oh8TvpjtFah0Vlsm3AzeoHtNwmp8H2m7TMtDyE9I7p4oUq6D6oNWoOWvFo3uizv1uRht3NSTNVaqw05cKJmZSAy29jCO8gLisICW2mVsrSoJbAT1FXM3NRgmDxsJfz8TwxblxGSdOax2gwkGBJSmzaZmJK25ce/IKQXUm1GDhioANAepe62i9itW7R+D3/qvvTkNqMyxtTFbwrLOnn8zEkxi8Ct111hSS0pK/VCbG441kwcO7x7d7a6Cf0+dtt7cXvNAzLchc56BjpGOexymS2EIkNPrUSXeslNrfRNQELVAFAFAFAFAeinuuP2qo3+T81/Hi1UD6SayB5O++H/AGbNFf6i479G5KowfNyKxBXhQElgGw9FZgKAKAyGIkmSFKjsLeCLBZSL2vyrTdyLdppTklXpPSwNHzM+MpY1qVxRpXlVaV3CCkqQpSVApUkkKSeBBHOtqaaqjguW5W5OMlRp0afBremVLa0/SQpN+RIIqKUXuaMp2LsO9GS600WVaGpMuQtba0uNrU04g3Q4hRSoHygixFQFzbrrTrchp1bUhpxLrT6FFK0uJPUlaVA3CgRcEcb1AbPOZ/PaoycjN6lzU/UOZlhtMrL5OQ5LlOhpAbbC3nlKWrpQkJFzwAtQGooCQ9sN1twNm9Vxdabcajf05noyS06tADkeSwr6TEqOsFt5s/eqHA8RY8aoOr5PjE2u1A+M3rjwY7Z6i1grpcmZ2Kt7HsyZA4qddiIZcSeo8SCpVKghTfXxNbkb+rxeO1F9n6b0PpxfVpTbnT7AiYnH+r0BQQPWdWEkgKWfVuegJBNKgy/Chu5pbZHd9vXesWMhIwidO5rEqbxjKH5AfyMbumT0LcaHSFfSPVw8hogc1lN0lJ7b3tw51Adkb/bgaP3s2f2V3Ff1LGG92joP6jblabfUBMyEGH1Lx2YQOkBYIulZvcFfH6N6oNrsluNttuLtO/4W99c3+qOJZyjmb2Y3XcBcZ07lXwe+izUlSQIj5KuN7ArVfp9VSQL5fu8fFAJLH6v6bwetsHM6VY/V2DzsF3Gvsq+i8lbzjTgSQb/Q+OlARXvtsZgtjYelMNI3UwWt9zprkv8AX3R+nlGVFwSG+79mQqcLBbqyVhaClJFhYW4kCbfFBpPVeb2m8GWTwmlszmsbB2jjszchj4EmUwy4qQFJQ44y2tKFEcQCb2qsHB0iPJhudzMjPQ3uXcyG1tL/ANlYBrECNAFAFAFAFAeinuuP2qo3+T81/Hi1UD6SayB5O++H/Zs0T/qLjv0bkqjB83Xk4WrEB2jhxoCTRyHoq1BXgatQU6fJVA9cb04/Gx1uW6pTqSf94QB8Q418xmp5ORKK/Cn6P0n7p4XlDQ9Gs3blK37kf/EajHzQXMN/PR+4nuqAsmQkOD0ngr5RXr6Ve+JYXStnsPz36gad8nqlxpe7cSmut7Jf4k/OOebkDj4cNzug8HAhBSTa3qX8hrw8bDWTdmq0pV+k/Vdd8Ry0XT8a4rauc6jFpun4E+hmvmR4uUx6shGb7p5sEqFrE9P0kqtwPDka68a7dxL6szdYv79zR83ren4XiHSpaliQ5LsE21RKvL34ypsbS2xlx7SuEhRX4BW/HQ6pTqgFqHEAWHA1NUyrlu9SEmtiM/AWg4WbpjnkWYzbuSVWtqSSWx7+ntNbjcYh3IyI8hBU1F6gsXIub2Ty+Ou3NzOSxGcHtlSn3ny3hfwxDK1a7jZMW7dnm5ltVXXlhtW3b3uwtyEBhjJx4zSShl7u7i5J9ZVjYmrh5U7mPKctrVfQjHxHoGNia1axLScbU/h7Ktv3pcsqN1CfjGY06JFacX0SbBSlWJF1dPDgKmLmyu2ZXJJVj7Kl8Q+FcfA1PHxLU5ct2lW6NqsuXZsRZlcUccltxDheaWSlSiLEK5gfDWWDn/M1TVGjn8W+EJaHGFyE3ctyqm2qcst6Wxvetz8jEZuMchRmJKnUuJftZIBBF09VbMfNjenKCTXL7aHJrXha7pmHay5XIyjcpRJNNc0ebbw8hZMxr8Jtl11SFJe+h0kk8r8eArLHzIX5OMa1Rz614ZytIt27l5xcbm7lbfBPbVLpL04fJKbDoimxFwm4Crei96xeoWFLlcvYdFvwXq9y0rsbDo1WlVzU/ZbqYyIMxwLKIriw2opXZJ4KHMGt0sm1GlZJV27zy7Gh599SlbsTkovldIvZJb01vqJrjSG/px3E+lBH3KyjehLdJPtNF3Tcuz37M49cZL7hGthwmzi5vNwYphQM5kYMI3vCjS32WTfn+TQsJ4+iqDVgAcALX4n0nnUB0Ho7xW+I/QGJxuB0jvFqHE4LDR0RcThe8ZkRYzDYCUNNNyGnAlKQLADlVqDaa38X3iC3I0jmtD671tH1Np/PtttZBuViMamSEtOoeSWpLUZt1s9SBcpVxHDlSoOaagCgCgCgCgPRT3XH7VUb/J+a/jxaqB9JNZA8nffD/s2aK/1Fx36NyVRg+bnnWIC1AScOQ9FAVoBeMwZMhlhPN1YTw8nb8la711WoOb4I7tMwZZ2Vax4rbOSj2N7fMqseWSl4+OpmNKYU4EgLbSkfQtwHaPJXzmFYyLilctySrsfl9B+5eKtY0fAlaw8yzKailKKS7lPdj+KLrRbPIYWeQiVAjzm+KU8j29Lnl9BFdOkt2b0rUvs0eD9Q7dvUdLsajZ2xXn5bnT1SVH1iuWjPyoEJEdouqR0lQHk6LXrXp1+Fq9NzdN/rO/xnpeVqGmYkca25uPK2lwXIlUrHYONw0n2khK1pWpSb3sVjpSn01L11ZWXHk3KnodWy6bgT0Hw7f+a92UlNtb6OceSMf2un9AnAdMTAh8c0KKvT+UANZ5Vv42bydK+45vD+Y9N8LfMLfGTl1/xEvSthsnlsww7MRxVOcZSD6bJHyca47UZX2rT/AAKX2859LqF2xpcLmdB7cmdlLtpFf4eaRqcwm2WxivvikfE5/wCdd+muuLcXX6j5Pxta5dewZdLivNc/SGXH/N8X6Uf+pU07/hbvb6i+Mv8A9Bg/k/8AMZtpiWpZfxrhAW4z3jRPlBIv8BtXBjOVlRvLcpUZ9frcLOqSu6Xc2SnaU4PyptV/K1HsbNTnUlOMgpVwUlSQR5wgg16GmOuRca+20+N8fQdvRMSMtjTin1q20yucUG2cU4pPUlDgUpPlASk2rHTFzTupcV7Tb4/uxtWNPnJVUZJtdKUYtrtNlKVNdSzLxj6HGrXVHIFl+g+XzVx2I2YN278Wn09H26dp9Lq17UsqNvN0m9GdulXbaVJ7eD6abOWsWqb6jXZy+QYfdHqhTzxU8habkKNgR5RYC1e3cwLNyK8ioqM/KcLxlqmHkXEmk7lzmmpR2qTaTXBqiVKcKDgy2Wex7zTTbSHEuIKj1Xve9uyvJwMCGRFttqjP0jxj4vydEv27VqEZRnFt81a76cGJxZKYeDjyVMh7p4dB4c1kc7Gs71l3syUK0/2HJpmrR0vw1ZynbVymyj2d6bW+j3GvzjLC48Se013KpFgtFrEgpuLgdorr0y5NTnak6qPtPnfHmDi3MTG1Gzb+HK73lSlU48yqlsqunijIxOMiOwm1ymUqdkqV3KiTewHC1vQTWrPzbsLtLb2RSr9vQeh4Q8L4OTp0bmXbTuXpS5G260SdKUa/VlI08JqAh6S1k1FHd+qgjqHrAkH6Ir0Mmd5xjKxtr1Hxmg4ul2si9Z1VuPL7sac3eTal3a+k3LuHw6ENOKlrYbeF2lKULKFr8Ljz15tvUMqTcVBNrfs/Sfb5ng3w/at27s8iVuFxVi3JUkqV2c0eh8TWw8KqYt9aXgiI24pDb1rldjzA4Cu3J1FWFFNVm0nToPl9D8Ez1W5dnC4o48Jyip0q58r3pbFupV7tuwunYJyMyqQw8JLSBdYAsQO08CQbVjjanG7LkkuVmzXfAV7Ax3k49xXrcdroqSS6djaaXGj2dBjQ8RJnMd+ytsJ6inpUSDcfAfLW7I1C3YnyyT3VPO0TwZmavjfMWJQS5nGkm06qnQmuJjTIMmCtKJCAOvihaTdJtzsa34+TbvqsHuPK1nQczSLihkxpzbmnWMumj8nFbzDreeMeinuuP2qo3+T81/Hi1UD6SayB5O++H/Zs0T/qLjv0bkqjB83N72vyrEFf/AoCTRyHooCtAVBINwSD5Rwo1UyjJxdYtp+TYVUpSzdais8rqJJt8NRJLcZXLs7rrOTk+ltt+kW9rk9wYvfq9nIsWfq87/PWv4Fvn56Lm6TuWsZnyrxPiy+C/wAH4d9fXtMtvMZFsJSmRdKQAAUpPAfBXPLTseW1x9LPaseONYsxUY36pKiTjF7FsXAx5M6VLsJDxWlPFKOASD6BW+xjW7HcjQ8vVNfztUp8zdckty2KK7FRCxyTpgfZ/doDVgOvj1cFdXltWtYUPj/Gq6+jdQ7ZeKMh6X/TeSPw+nbzd7n6ab/IYntD5DSVvLcbZUFIbKiQOnlYGun4MNrSSb4nj/1HIkoRnclKEGmouTaVOhPYtmw2U3Kty5UKQGVNiKq60kg3HUDw5eSuDFwJWLc4cyfMvuofXa74vtapm4uT8KUFZdWqqVfeUtm7o4l03JsSp8KShC0NxynvAoC/BXVwsamLgzs2J221WXsoZ674qxtR1TGy4RnGFpx5k6V2T5nSj6Cs/KtuT4s2IVHuE2UlQ6b8TcfCDUxMCUbErVym1mfiLxbavarYzsOr+HFJqS5a7XWPU4uhk5ufEmRGUx3g4sOdSkWIIHSedxWjS8S7ZuSc1RUp6T0/HviLA1TBtRxrnNJT5nGjTS5Xvqqb3TYGYkxJLGPQiSlQSsB4o4lI6QCbU06xctzuNxfkrx2sx8bang5+Phwt3oyUXSfL7zguWKbp5+s2cOFEYdEqFOKYxHrsBQKFcLcSTw8tcORk3Zx+Hch73B8T6vRdDwMS+szAy6WGvehzJwls4tusenaqp8UhrZF1t/JvOskFtTibKHI2sCfjr3MS3KGOoy30PyjxJmWczWLl2y04OcaNcaUTfa0bLU396jf1R/jVw6L/AC5df3H1f1UVMyx/u3+8bGLK9iwcaQWw4EmxQfIVkE1y3rHx8yUK0/2H0Gl6v/SvDNjJ5FOjSafRKbT7VwMTUCXX/YVtL64z3qtgD66uR+EVv0lxhzxkqSW/qR5H1Gt38t4t21LmsXNkEv15Uo/zRpToozcONsMrx7XtiGFQrFLSiLrBT09pHnrz4XJzVySg3z8ejifaZGHi41zDsvJjblj0ai2q3E48nFqlfe27drGrnWO5yDigLJfSHB6TwPyivd0u7z2F5Nh+S+P8D5TVrkktlxKfa9kv8SfnM3Nf4diPwB/ETXNp38+91/ez2fGn/KNO/Y/yRFnir9W2CwbAdIe6fJ1Hqv8ADzrXbS+flzdnmOzNnL/pC18DdVKdOjmlzV/NSvsE9NKWpyUybqjlAKknl1E2+UXrLWUlGMvxVNP0uncnev2HtsuCbXBSbp6Y81eoyscwt7EzGI7ndLL7iWnLkWsU9o48hWjMuqGVGU1VcqqvOev4Z0+5laDkY+NPkk7s1GVWqUcabY7dy4CGdV3UGFEed76UkhSl9pABBPwmtumLnuzuRVInnePp/L6di4d6fxMiO1y40ScW+n3nsVdr5ajVr3D8mPRT3XH7VUb/ACfmv48WqgfSTWQPJ33w/wCzZor/AFFx36NyVRg+bn4fRWIDh5LeagJOHIeigK0AUAUAUAUAUAUAVQFWoKEA+arUFLGgKUAUAUJRBQpcpSl261KXbgOok2+OsVFLcjZcvXLlOeTlTpbfrFTKkln2YvKLHYzf1eBvy9Na/gQ5+ei5unidb1TLeN8q7kvg/qV93fXd17RZGSmtttNJeu0yQWkKSlQSUm4tcdlapYlqUnJra9+87rHiXULNqFmNysLbTjFqMlFxdYtVVdjEZMp+Y73z6gpwJCQQAOA5cBWdixCzHlgthx6rquRqd74+RKs6JVSS2LdsQvOyL08M98hAUyCAtIIJBtzuT5K1Y2JHHryt7T0Nd8R39YVv48YqVtNJxrVp031b6K9bZWXkFy48VhTSUCKLJUCT1cAOPxUsYiszlNOvMZav4iuajiY+NKCirKomm/e2KO1PduMjGZZUFK2XW+/jOcS32gnna/Dj2itWbgq+1JOklxPQ8L+Lp6RGVi7D4liW+PFN7HSuxp8Yvf5DNezcZuOtjHRTHU5e67BIF+ZAHM1zW9NuSmpXpc1D3czx3iWMSePpmP8ACc97olSuxtKNay6G3sMRidHbw8mEVKTIWoqbsDbmnt+Ct9zGnLKjd/Cl7Tx8DXsWz4fvYLbV6Um47HTfH8XB+6xXIS40+BFcLoTOY9Vxo3uoHgePwXrDEx52L0lT3Huf28x0+I9Yw9Y0vHuuaWVb92UdtZLc3WlOCktvFmgr1D8+PRT3XH7VUb/J+a/jxaqB9JNZA8nffD/s2aK/1Fx36NyVRg+bnz1iCi1JSOpagEjiSeFvjoCSkvskAB5BPkChQCoIPI3oCtAFAFAFAFAFAFAFAFAFWoDhVqCnT5KoKWPkoClAFAFAFAFSgClAUrEBQBQBQBQBQHop7rj9qqN/k/Nfx4tVA+kmsgcI+8E8PmtvEltJpDQmhpuJxs6FrOHl8lkcw84zHZhswprK1ANNurcV1PJskDj5RUYOE9v/AHSGjYVpG6e7GV1E7/8AtemIreMY/GkSvanVfAhNKA7i2+8Gnhj2z9jd05tBhJuThHqZzueQrMzev78uTS6kH8FKQOwVQTHkNr9sctf7T220pkCq/UZGFgOE358VMk0Ax5vhl8OuRV1TNj9FuK++RiI7R/8AukooBuy/B14XJqSl3ZDTbfVzVHRIjq+AtPIIqUAzJ/gE8KU/qttq9jirtg5jJtW9AMhYHxUoBlTvdr+GeUSYrGrcZc36WM11geb8uw7ShKjZle7D2FcSfZtU63hKP0Ve2wXQD6FQuNKFGfP91ft451fZe72p4h+qJUCDJHw9BZpQDKn+6pe9Y4nfFB+9E7AEfGWpp+alANqR7q3XKQfZN5NOun6oexc1u/8AsuLpQDSn+6+3wYv9n630TkgOXU/PjE/7URQ+WpQDLn+7f8TsTqMbHaWyoSL/ANlzjaSfQH2mqUFRrSPAH4qo9/8A+uosi39BmsYq/ovITSgGrP8ABf4pcd1d7svmpIT9aG7ClA+juZCifioBk5Dw4+IHF9Xt+ymtGAkkFScNKdHDztIWKAZM3brcXGq6Mht9qiCrjwfw05vlz+kyKVBoJGDzcQFUzB5KIB9JT0N9sD0lSBVqDULUhs2cWltQ5pWek/LVBaHG1fRcSr0EGgLgQeRvQFaAKAKAKlAUqUAVAFAFAeinuuP2qo3+T81/Hi1UD6SayA3NT/3Br+vT8yqAY1AFAVv5qED0UAydxNax9u9JT9WScVJzSIUiBEaxcRxpl157IzWILKUuPqQ2kd4+kkqUABehRovbpy2XdRNTtNuaek6J0yzqrWGMnPMy3W4T8iUhCIr0B11l1zuoD6rEgXU0Ooev0gbnCbr6Uz2pF6XiN5OPOOTyeHhTJUQohyp2HaQ/OYZeStfrNtrCvXCeoBXR1dJoDPl7l6Mg5LW2Jl5VbM3bvHRcrq1BjvFEeLMQpxpaFhBS6elN1JbJKbp6gOoUJQxNU7r7d6LyEzF6n1CcVNx4iHIIEKdJQwJ/WIpecjR3UI70tqCeoi5FudhQGW3uPoJ3I4nDo1bj05XOtR3sVjnlqZecEsXjJUh1KC2t4D8m250rX9VJoU3cbUWnpkWPOiZ7HSYUycvFw5bcppTbs5pxbK4rawqynkuNrQWx63UlQtcGgF38zhoqHly8zj4rceQmHIcflMtpbkqSFpYWVrAS4UqCgg+sQQbWoDJYmQ5LIfizY8lhRATIZeQ42STYAKSSOJ4DjQGb0LUkq6FEJ+kQOA9NCULC0q5HQoHnaxoC2y08iR8lBUu798cO+cHm6jQomtSnUlLp71J5pX6wPwGgNJM03pvIhQyOm8RkAr6QlQIz1/T3jaqAZk/ZXZrKknJbSaMmlRupTmCgEk+UkMg0INmV4YvDlMBEjY/Riuq9yjFMNnj52wkigGfP8FPhYyHV3mzWIiki3VDkToxHo7qSkUFRlT/d6+Fmd1d3o3L4wq5ex5yekD0B1x0UKNqR7tfw1O37n9cId+Xd5lKrf/MjKoBpTvde7Kv3+z9ea1xt72C3MfJA8g9aKg/LQDLn+6s0uq/2XvVmGDY9ImYaM9x7LluQ181AM2X7qvPBSvs/e3GuIt6vtWDfQSf93LWKAbs33WO5baScfuxpSWq/BD8OfH+VKXalCVGXkPdl+IOLf2LOaKygB4dGRlMEjy/lYYHy1KFqdPeBPwib3bJ+INjWOu8RiWdOJ03lICp+PyjEtQfkKjlsd0npXYhB49PDtqpA9r6oG5qf+4Nf16fmVQDGoAoAoAoBh7l6Gj7kaOnaOmSW4sTITcXJlLeYEltxrHZCPOWwtpSkhSXgwWzc8Aq9jyoBk6o2gelSs8jQk3D6PwusNLM6P1FiFY9S240BiRKeS7jUR3WW23eidIQUrSUXKF/VIUAjpbZb9Vtw3deRcsy85kNQalyGViLS6vqx+bajiMyylxam2n47kZPU6hKe8QpSVX4UA1crsZq+ajOTUaybfzGtY+rourI0lI9gQ3nul3HCL0MJfIiORIrag4s+p3hRbgCBuJGh9f6jZ3J1FmsVjsBqLW72kI0TTUXI+2tMxtNTkyXn3JndMpJe710oQEcEpQD6yiABkap0prOY9uNpWDplrJYvcXVWMz8TXK5sdtOObQYIfVJjuH2hT0L2Hqjd0lQX1IHU30qNARHA2Z3Hx8rTbcmEl/S+lNVYnXuOw0Z5lT5zU3LMDMII6wCmPEZefSq/rqkqA4pNAUkbXaxY0RvTjNQ6Pa1FP3d0blNUPNNsiZ3Gq/7UluI4h3rSmV7PMYZaU1wtG4HlQGJrLR0XSeY1dkYmiEGFjV6alaL0SNNSMjg87NZwkhuVALEFkojPqdcs1JIs08SpXVdQoKjkx5fY3UxD+oY7GMTIezzmLYzEXIPuJlOajlLbRAfjKSw28G1Jsp0FCkdPT6tAN7T+mMtO0ohnVDeaxMwL27fgM4/O5tPetZZ5mPk5ang7Hcbfkeu3IZA6WygLSepwqoCVNrnFN6q3UifrEkv4vJZiDjkTdUzMpIiRokgNx1v4OWS3HQ0hKSHg4S4PpfTJoBl4XVWs0afw8LAaslZLUTmphoLVWUnZZjUGOTkMzEYlRs1jJSG0h1DKUlaI5CeguqaWn1BQG11Hq7WeGxG4UVetchj9a6blQcrj+7YxM3EycHksycZEcjf2Za0WRdDzbqu8DyOoEtq4gUyWu91cZit15WPnOZufpDVqNM6XcnYmE1jZPdS4Dawp6M4h5Uhxt5wEFCUJJCk/RsQKxfEHNka3ZjIxDmR0Nl9QMwdPLw+PlZPKScUvD5CR7Y21FK1L650BYBSggNC54m4AxsX4gpc/MbcNSGGGEap0lKzeZxiXEMrbnFnJP42Mhh9CpHS83jnu+V1fk1BkW9dQIDp0jvDqfWeOwM/B4HTs9rLZiBhZExOTmNR0SJ+LRlFJR/YnVFUdJLTgP1ukg2JCQNpmN8ImF0zpnU0nTUmRGz8CNkZEdh9BXFjvZKPAeV6yB19yh8vG1rhBSOJFCUNrjt22M/lJGJ0vpmRnnsbOfYzstM+HGjRIiMjJxseUHn1pDxkqiOuNtN3V0DiQSnqAl4ixIHG3bQtSlAFAFAFCUHBpgD7VTb+iX9ygJIoUbmp/7g1/Xp+ZVAMagCgFOdAWlPkoBh7naqVojQOqdSspU5kYcJTGBjNo71x/KTFJi49htscVqckutpCRzvQEI7Ybh6rm6n2v0dqXKZNMvHDWuC1mc5FRBm5OVhU46VjJslkpSppx2DJ7/pTYEFZsQngBoMJuRuNk9J6x1ivWrUP9RNE6Z1O1CfgQlwck7PjTZUlmQvu0upMsMIbaU04npKgUpV9EgOLHao3Q1RncGqFr4aWx+Y1/qfTD2HXgoMxUeHhUTZLF3HelfelMdLSzfyqHrUFBw4nX+soOi93cvqeY1+vWh8RkMx+pMrEKgN43uI8t6KG5CXl/aMN/uB0SEkFXSsHpV6iAMPX29GpdHnBKxumoufM+FpKbLgt997S4jOPT0zkxUoJ6nG2oV2E2PUs9JvcWA3ELdjUOpc2MVofC4bONPws9lMVKlzX4yJ0XFS4UeKlpxDLobXJTNCupSSlNrW8gGzVu2iVM2pbxuKjRMZuhjRk4+azkxUJhhajG6ca0tth9Ls5xL6lNtFSAsNq6VHsAbmQ8QCsfBnujRrjc/BSWMPq5ibkm4UTEZiZkFQY0ebMU0tDcdbbapSpBT0paUyekl5NgNlqbevOaNd1ENQ7Y5BvG6Z03+s+TykHM46Q2YXrN2Q2pbS1K75Cmxwtay+CTQlBwJ3ZwjGV+xs/Amadnp0xO1bJdeeiS4jcGA+pl5PtUN95tTpCC4EpJugG5BBFAKaL3L0zr52E7pnEZOS1Pw+Oy8zKuw22mojOWje1w2JalOd4HXGhcpSlSQfVKr8KFMR/cHa/TsHVbSvZcTjttc7AxeaiMY8Ntxcpk+4XFVGaabAUpZlJ/KNjgeu59VVAIzM3srphzcqDKb09hv1aexszdFtMBttCHcisOwXppbas6VLIUFet0qPUrpPGgNpIa2oxubm5qS1g4GdlajiYjIZBwJacfz74YlRGVk2S5JXdpaDxJ9XjQGrjR9ktN5yO3DVp3B5vQEXqbaZeSyMVHhxpCelYSoNNBqPNeJSviEuFRHI0IIY7SWzmTwEnEYOTjJGHfaYzC3IWS63W42PWWG5CH+9UttlCmloUQQi/eA8SqgNzi8Vt3CnQYmLzUD7QxqsTkouPRlGnHh7Bj042A+prvCspVFcQjqIs56huTa4pgRdsNIw5rClZadLTjJEZeHw8qWwuPAZjz/tERGWQ2k90t+wUHCtXQEthQSkCgGn//AJ30xAxa8JprMS8DiJy1IzmOdjRMg1KiJyT+UjMoEls9wuI7JcTHeb9dCCAeopSQBOWMRk28fETmZbU7LBu+RlsI7ppbyiSoto7Ei9hfjbnxoKGfe9CBQVKUKFAOHTH+Kp/ql/coCR6Abmp/7g1/Xp+ZVAMagCgFKAKAQkRo0tLbcuM1KbadbfabeQlxKXWVBbbiQoEBSFAKSRxB4jjQGkzWj9J6kZfj6g0zi8yzJebkSETIrTvW802WUOKKk3KktkoBv9D1fo8KA18nbvQczKRs3K0dh5OVhNRWIkxyI0S21Bv7IgIt0WYv+S9X1Pq2oDPj6U05DkR5UXDR2JETKzc5HdQFXTkskhxEyVzsVvJeWFX4eseFAanAbeaS02nOpx+Pfk/rM0mNm15SdLyi3oqA4lETqnPPqQwgPOBLSSEDqVw40BosNs5ojBmCuM3lZj+MyOJyONlZHJyprsf7CDqcZFaW+tRTGjB9zpaHA9RKrnjQGE3shoqGlTeFlZ3TDa0Zpl1OHyK4xLGoJjc6ewlZQtbaFPNJKO6UhTY9VCgKAcGe27xubw2H0u1k5uD0hi2IsR7S0BMb2aTGgraXGaU4+w6+13ZZSAppxCrX434gQMloaQ4zrdWC1EvCZHXWUaymVlyMfEykcdEKPAXHMSSkIW041GT1BRve9jbhQVGfl9kMXkNF5XRkXPy4sbIaCb0GzNktIlLbYaeW8mUtJU2FqJcILd0ptwFhQprZexDGZdwkjOZjHNu4eTjuuFgMOjEY9+BEkT3ZUEw0yH0pRMbnqQ7ZR4pC7XNqAuw2ys7GvaEjuajYYgaLxzuNfzOIalYzN5OI4y+2mDJlsybCO248l5Fh1JWgdJF1EgNHVXhqez83VE+Nqruv1hVkZSoUkPOocndCGsLKkOlSlrXBSuT1EglanEq5ooDZZbY3OTp+ZzZykKdktdS5SteY+QoiEqMrOQ8nERG6Y4dWW48UsKDqiPWPT0ihKjTneHjWOTg5bTknVKYmJxuZymb0XnErTLmuPIx2OxuCTMTIaPS5HajOdbyD19XSpJuo0KbrUejd45ml87o3E4uFFg56dqSfmcgzkInc5BrOMSpbTTiHmg83KYnPNtBwfky0jqJsehIGu1btXuHrDU72XYVNxWPzmAi6K1M7l5sF3IPYKXIyUjKq64H5IuIJjJasBdLiu1JoBlxto9YzcBl9MZ7SmTYe1AvRKZD0eNiFxmWMYxp9ie6jJIcM1LrBhPFLf5s9AUm5tcB66S22z8rU2ks5r7RkLI56Dr7VczO6hchx3EvRTi+5gT0qPWpDUiSgOtJv6i1cgRegOtCkkk3vfy0JUtII5i1ClKAKArehKBceSg2jh0x/iqf6pf3KCpI1Cmjz8dyTEaQ2QCHgSVcrWNANhOIP13x+Kn900BkIxUZP0lLc9Jt81AZP2bD/AKM/7RoCw4uL2BY/GoQsOKY8qx8I/coUs+ymf6RY+L9ygLfspv8Apl/EKAp9ko/p1f7IoC04hJ5P2/F/86ELDiFdj4/2f/OgqJnFOf0yfiNClpxb3Y4g/H+5QFv2ZJ8qPjP7lAUONleRB/G/8qEKHGyuxKT+MKAsMCWP5q/oI/doUs9ilf0JPoI/doChiyR/ML+KgKezSP6BfxGhKFhiuk/mVg/gmgEzHeHHu1k/gmgqJlDiebah6QaFLSD96R8FAUoA+L4aEoW9KTyNAUKSPPQVLaFCgHFpj/FB/Ur+5QEjUBg5D8wn8MfMaA0tAFAKUAUAUAWB7KELenyUFS21ChQBQBz58aEoU6R6KAtKTQtSlAFAFABANCFvT5KCpQgihSlAFzQFb0JQt6QaAtKB5AfgoKlnQj7xPxChShbbPNtB/FFAW9wwebKP9kUBQxox5x0fFQlBMwYh/mEj46CpssPEZZmhaGwlXdqFwT5qFHZQGDkPzCfwx8xoDS0AUAvzAvQlA6R2cKAtIIoWpSgCgChKFLA+agKFJ9NBUtoUKAKAOfOhKFOm/KgLSCOyhSlAFAFCUKWHooCnSfTQVLbGhQoAoA586EoUKfJQVLbGhalKAKA2OL/vQ/AV9ygHHQGDkPzCfwx8xoDS+jj5qA1TOcwkme1io2XhSsk/GfmMwWH0OuKjxnkx3nQlBPqoeWG1HsV6vMGgN7QBQBQBYeShC3p8lAUItQpSgCgChKFOkeigLek0FSlChQBQBYHsoQt6fIaCpQgjnQpSgLVrQ2hbjighttJUtZ5BKRcn4qqVQzjzOeJKFpzcvIY1+IqXgGkIj5CYzdTsd4EkI7skJUlCT6/TZXUTa9rV8zqHiq1iZny8o1txVJSXeU+PWluofc6b4Hu5unLJjLluydYxfdcOHU3vXClKnSmntcaZ1TCRPwuTZnxlcC9GV3qUnyKA9dB8y0g19BjZFnKjzWZqS8j29q3o+QzcDJwp8l+24Pyr1Pc+wcXt8Tsev5glRPzV0/Cl0HHzorGmMSy93C+ruFBDo4XCiL2I5jh5a17ODM3FreqVMqhAoANjzoQt6fIaCpn4wESh+Ar7lCjjoDByH5hP4Y+Y0A1ss46zicu8wroeZgSnGV3tZaWVlJv2WIoDxz91nM2Pd1fuuxoHO6o1BrNOn8Qt9eaT0womNUiM7km4/r363c09IVxT+bShV7qVeIHtQaoLekeihC0gihSlAFAFBQpYeSgKFPkoSpbQoUBpM/qbTulYf2hqXOwcDC+rInPoZCvMkKN1HzJBrKMXLcqkbS3jRwO8e1WqMi3h8Dr7DZHKvGzEAP8AdOuHyNh0I6z5k3NZStTjtaZipJ7mSQUWJHIjsNazItIIoKlKFCgChKFLA+agIA383OZ0Fpl2LCWh/O5QiNi4XNTkhduhNh2Iv1r81h9auDVdRWn47uL+ZL3YL+109UfWe/4b0V6rlqD2Wo+9cfRFcOuW7zvgeZ2dZcgz2m5DypE1xkPZCSs9SnZDq1KcWo9pJNfk+dZ+HJJ7XSrfS3Wp+9YNxXINxVIp0S6IpKiLYUx+O4HYz7kZ3h+VZWptXD98kg156bi6rYzqlGM1SSTXl2jr/WfUUloMSNQ5R9m35pyY+pPxFdqznlXpKjnJr9p+05I4OPB1VuCfTyr2HeHhabV/0+yry/W9ozj5Cibk9LLIJJr9H8GKmFJ9M36kfkP1Bf8A8jFLhbXrkdJlPkr60+FqWkEUKUoAoDYY3+8j8E0A4KAwch+YT+GPmNAaF5xlph92T/dmmluSeF/yaUkr4Hn6oPCgOBfBxvbq/cXVGs8JrPZzT+1ePzuDh692akYKGxGVP0fPmPQ2RMLKlXeQttCzcIPr/QA6SQPQo0AUAUAcD2UIW9PkNAUII50KUoAoAoDnDeffRjQvf6d0w21kNV9H9qkuDqj4/qFx1J/nHbG4TyH1vJXTYx+fa9xqncpsR5yZt7VOvc8p6U/M1Ln5x4vPLLi+kfvleqhCfgSK9BJQWzYjQ23vHRC2AbfQHdSZxbbpAV7Hjkj1Dz4vOA3I8yfhrB3egUOvNs9xczoeHHwGpMzkNYYNizcTIZAocyMVAsAnvkhPfISOQWCryK7K5LlpS2rYzbG5TeddxZUadGjzIb6JMSU2l2NIQbpWhQuCK5GjdvFyAaAt6fIaCpbYihRpa11hidEYGfncvKaiMQ2FvKcdPqpSgcVq7SASAAOKiQkcTSU4W4SuXHSEVVv7cWb8bGu5V2Nm1HmnJ0S+3DpPMt3PZTc7UkzcnMNux8U33kbR2NePrpaueuQ4BwK1km5HbwHBIr4W5enqN95U1SK2Qj0L7enqP2PHw7ej40cG26zfvXZdMujq6F0dbIq1m/bOJ4/+3R/GVXzeqr+N2e0+p0lfwO32D82m2zyG5szPNMZRnBYzTmNcyGTzMlCnGmzY92hSUkH1ulRJHJKSbHlWOmaVLPlNKSioxq293kOLXtdhpULbcXOU5KKitjfS+zZ1tjLacSFKCHA6gKIQ6kEBQB4KAPEAjjxrxmj3Hu27GehPh8yT2G2xx6BGQ4Z86ZLStSiPVU53Y4D+rr9O8LN2sCOze5P00+4/FvGsVe1OW3uxivRX7yaTqqX/APhGfjV+7X0Px30HyqxI9LL0aucH5yAk/gLI+cGr8x5CPDXBmY3qyAr87Gea8qgEq+6KyWQjW8OXBo2sbLY2WoIYloKzybX6iviVa9bFci+JplZnHehwY0ESRf701maxwUBg5D8wn8MfMaAbWQhjI47I40qCBkYj8TrJsB37am7kjydVAecngly25OsdZTHNb7ez9BRvD7txjNmpT+QQW/tXNwJ5emSIt0pBZSxGYItfiu9zcVAem3PnxqkoUKfJQpbY0BSgCgCgKEA0IUKfIaFIk3e3AVofT5bxzgTqLMBTeL4XLCBwckEfvb2Tfmr0Gt1i3zvbuMJzojzpcx2R1FlUQovVKyGQdUt19wk8VHqcdcVx4C5JNenVRRzLedP7fbXtR2TCxaA036v2vnHU3U6vyJHba/qpHAdtcsrnNtNiR0LjtvNJRmgh7FpyLhHrvy1Faj8AISPgFaXNmagiAN5MBB0jqPCJgRfY8XqGO4GmhcpblsKHUgXJIC0qSR56sLlXRmMo7KolXYrMPTcBlcQ86XBhZSVREnmhmQCrpHmC0qI9NYX40dTK09lCca0G0KAb+pdTYnSmLlZXLy2YkaK0t5xb7iWkJQgXUta1cEpHaT6Bx4VaJJyk6RW9vcjO1ZnemrduLlKTokt7Z5jan1fnvE3qp8xlyIGz2nZQMiYUqZVl5LV+lKARcIF7pSfoJ9ZX5RQA+Uyr89Wucsaxx4Ptk/L5fUvKfrGn4FrwxY5p0lm3F1q3F/bf+J/2UODMoYhsNxIrKI8WMgNR47Y6UIQkWSlI7ABS9FRVEqI1Ys5TlzSdW9rZzRrR7/ngsCT7OgADiT6yuQr4/VV/F7PafoGkL+B2+w661Yn/AKIeH7BaJQfZdb7qK9u1NYhLzMUpSpxpVuNkoKGfSXK9nNX9M02NlbLl3bLpS+1I+c+I09/13W55T22cfZDocttH56z/ALpyiw9ZPDiRyA8tfEtH6K9p6e6OxP2JpHTWKLfduQsbHQ8g8w4pAW5f8dRr9bwLPwce3Doiv0+k/AtUyfmMu7d/Wm/NWi9A4DXWcSEyOdCiJqMFvChR8aHlyjl0xS+tUbuHFdyo3SCOm1r8q32JOtDkyoR5a02kv11nnGDkPzCfwx8xoBpZu/2Jm+lfdq+zZfSsG3Se4XY381AcM+CXxTZLe/FY/bzI7S6p0SrbzRWIP6551bi4uYUwhmEVx1LYbJLlu9B61XB+GogehNUBQBQBYHnQlC3p8lClLEUBSgLHXWmGnH31hpllCnHnFckoSLqJ9AFAed+5GpXdV6hyeZcJDDiu6gNG/wCTjNcGxY8rj1j5ya9W1DlikcsnVjz2z0Q4hDS3EdGQy4Dsl4gEsReaUjznmR5beStdyVSpUOrYMRiDHZiRmw0wwnpbQPlJ8pPM1oMkQp4mt307L7QZ/UUN7u9T5hBw+jkJAUoT5KFfl+ntDDYU56QkdteVquZ8tZbXeexdf6D6rwjon9W1CFpr+HH3p/srh+Z7POc3ZHSWqdvtgtksNrbPZHOayelysvkl5KU5Lcie0obcRDbccJUEMoUhJF7dfVbnWWm2p2rMVNty37fUa/FOdYzNRuzx4RjbryrlSVeXY5bP1nXsodJeH1CvbtXLAPdhmIkns6it0j5K9PJ4HzVridMEpA41ym01c7JxoKbuK6lkXS0n6R/crGUkjOEHI83fEBDf3L3f0Pt7mczkYelNTZ+arK46G8UhxuBiosllHEEW6uq3DgVFQHVxrzNTs/NXMezJtQlzVS8h934Syf6fi5uXCMXdtqCi2t3O2n9uNKbiWZ2Mxen8ZEwuFgs4zE4xoMwIDCelttA7B5SeZJ4k8Txrqu2o24qEFRLcjzrORcyLjuXJOUpOrb4kPakjzW4acg5FfRj5Di2mJxQoMqcRbqSF26bi44XrxMiLSrwPp8GcXLlqqrhxNHslt0jcLeeNNybSVaX0REZzOdW4bNrWha/ZWVX4WU4nrV+9Sa8rEwPms5OXcgk353Ref1Hr67rD0/SXGD/iXW4R6qLmfm2LytEbb07kHc7crP6kjulzENOfZ+neYHsMYqDa7HkXVFTh/CrwNZzfnMmVxd3dH9le3efQeGtI/peBbsvvv3p/tS3+bYuwu2nwK9V6601h+bBkplzja9o8X8s5f0hPT8Nc+mYnzGVCHCtX1La/YbNfzVh4N25xpRftS91euvYen6j1XPl48K/UWfhKEFDjQqLKhkWKSKAS6aFHdob/AB5P/Du/ya3WO8c2X3O0meuw8wwch+YT+GPmNANudHalwZ0R9zumJcZ5h964HQhxtSVKueAsCTc0ByB4avETpTdHVee2g2mx87Ue0+xWmMXhBvBJJEfK5WMUQ0RoyQhKFJDDKllz65uUpCLFQHbthQFpT5KApY+SgKUAUAUBSwoCM92ss5iNGTm2F9MjLLTBQe3oWCp0j8RJHw1usRrLqMJuiOMcRiU5jOw4rqQqM2ovyknkW2+PT+MbCu+cqROdHW+lIKY8MylJs9NN+VrNpNkgennXPwNg+GgVKSALlRsBWAR5+uIR4nfFdFirCZ21WwYLxIT1x5uQQ6ngvq9VXeyUWHDi2yfvq+S5v6jn9Nu16X+l+hH6tGP/AE5oFd2RleeMafdF/wB6fkJD8SGTTmtd6e0+04VpwzDftYvcB6UsOqHpDaU3r6iKqz8tboibtiMc7F05mMotuwyk/pZX5UR0BJ/hKIrLIfvUMbe4knLZtMXqZYUlTw+krmEfumuWU6HXbtV2sjyZkFKUta3OtR4qUTck1o3nSlQ5C3IkMQd9Nmsi6ro9o1QqOlR7ftHDvxh/DjpFa72y7jS6JSj50fRaJWeFqNtf91Cf9yaqSnqlf523A+eujKOPA4Ez6A1jt1n9PQNDrMdl5qOI8jT+WS2UylXutSCod26VKJVYet5q1WrluUeT0M5M7EyrNx31XfXmjw+9eohjxEZHTPh/2rzmB0NGVhc9urkFxkFKytxqOGwJa0rV6yUIaPdoF/VLnCvG1q5DBxpRt7JXHTs4+jYus+n8J2b2uahC5kvmhYVfI3X3e1va+lRPMCI+AEgcAOFq/OpRP2xqp6B+FbRqoeDyuuZrVns2owMMVJIIisKu84knsccATw+8r7DwzhckJX3vlsXUt/nfqPynx5qXPdhixeyHvS/ae5di9Z1oAK+oPz9Ca0Dne1CiJBFQyqWHlQpYaFHZof8Ax5P/AAzvzprdY7xzZfc7SZa7DzDByH5hP4Y+Y0BoH2W5MeRFeBLMppxl4JNj0OJKFWPGxsaA4V8Key26vhz3G3E2uzsxrV+zcvCQZ+0+uVttMT2GsfJcZGGmtNBALjKJZX3hT6/BQVzQgD0DoAoAoChANAU6T2caApY+SgKUBz3vtIV/9PxOr1Q3JfUjsuShAPyGurGW81XSJdBQSv7Ul9N1vOtxWV9tvpKt8JFbrj4GuKHJu9vAva1/TuMxMGNlZjo9oysN9RT0w0Du0pSpPFC1quQSCAE8jevkvEPiN6bct24JSk9sk/1d3Y2/UfceE/CS1i3duXJOEV7sWv197370lvWzfvI03A8WmlXdrs+7pdU3Ga8nx/YIeKfSQ5EXJCkrlNvIuhYaTcpIseop4CuXI8V2LuJJ2qq49lHwrxrudPZsPY0v6e5VrUoRv8srCfM5LdLl3Rae1OT38KV2j08PWlW9k9om38mwiNnM2n7e1Y8r13VPOp/s8a57W2ylNvvyo9tetouD8rjJPvS2v7l2I8DxjrX9T1CUoutuHuQ6lvf5n6KERBzIak1NlNQzeqRNnPqKe0l142CUjyJTZIr27UdtT5K4+B0e045hsRDwsWQv+yM9Dy0qISFm6l9IBtxUTxrju3OZuh12rVEqjPlrX611KPHymtR0DPyMtbXUQtQt5CaEqc/bvOzHtNyc5jkuSc1o+TC1Jiei63A5hpCZLgSL34xy8CBzrRmxcsdyjvg1Ndm/0H0XhO/CGoxtXO5fhK0/zr3f8VDoLKZvH57GQc7ipCJWMzUVqdj5CDdK2ZCA4gj4FVvvTU0pLc9pqx7E7Fx2pqkotpryrYyBdSvcVm/EG48xHbevDyD67AOatztVZ/P53GN5zNTMujD49MXGCY8p0sMqcWsoQVEmxP8A4sBXy+qzlO4uZt0Ww+/0HEtWLMnbio80quipV0Rk7aaOye4urcPpTFXS5Pc650v6saI16z7yj+9Ty8qrDtrgxMOWVdVtcd76FxZu1jUoadjSvz4bl+tJ7l7fJU9kMXiIOCxONwuLZ7jHYiM1Dgs9qWmUhKbntJAuT2mv0e3bjbioR3JUR/Pt+/O/clcm6yk231szBWZrRRXZUKIkWFCoSIqGQmRzFAOzRA/58n/h3P5NbrHeOfL7naTJXYeYYOQ/MJ/DHzGgGxk3nY2LyklgkPxoUl5hQ5hbbSlJI+ECgPJP3aD+DyeqNw5afEDP3XymG09AiYTR85MoLxkTKKjZfMSuqSLG+WfcjDpNz3XUbpKbQHshYVQU6T2caAtoAoAoAoCnSKA5y32ZUmVgH/qLjPtg+dK0n+VXXjcTTcGRoizWFYdTwV7a4snzpUAPmrZPvGMdw6dTaT09rSMuLqXGt5EEWblG6JDX9W8myk+i9vNXnahpmNmw5b0E+h/iXU956mmazl6bPnx7jj0rfF9cXsfrOcoXhWiQdf4HOKzzeS0bjZXt83GTG7SSpj8oyypQ/JuIKwOpR6eA5ca+Xs+EVYyYzU+a2nWjXvbNy6GvMff3/qNLIwLlp2+W9JcqlF+7t2Sl0p03Lbt4kp7haiczq0YqComAy51LXy75wcOs/vU8bfHX2KVWfmO5Gr0lhQ06iWAQzCJ7lR4FTx5q+C9S/Pljyoyx7fPLme4fy0ggi1cR6Bo5sYnqt20IxkZWAtSVWTQhFWViSIzyX20XU2blJ4hQ7QR2gjgayhLlfSuPUYtPenRp1T6GtxE+mNXNbXOt7c6meVF0RMecXtnqmQolmMh1RcXhpbqgAhbCirulKNlIt8HmuXyj+FN+4+5Lyfqvyo/RlBa7a+esL+PFJX7a31Wz4sVvcZcabmbvUz10qUkhSFC6VjiCDyIPkrlvo6ME5O1ot57U7Edhpb78hppphhtJUta1rUlKUpHEkk2Ar5jPg3doug/RNKko4zlJ0Sbbb4JI9INgdvXtqMCZsxtCtW6gaQrO9QCgw0PWREQR94TdZB4q8wFfT6ZpyxLe3vy3+zs9Z+PeKvEL1XIpD+TDu+Xpm+vh0LtOp8dmouQs2fyEn+hUef4J7a9Kh8xU2hSD5rVCiZTw5+ioZCSkmx4UKhFVQyElUA7NE/46n/h3f5NbrHeObK7naTHXYeaYOQ/MJ/DHzGgGrlnFM4jLvIbS6tmBKcSysdSFlDK1BKh2g2sRQHIXhLa8K87HQdT7JY/b3FbmZzSeLf3Kxmi3G0PRi8lp19l+Ih1ZaQiUSkXFwR0k0B3LQBQB6eNAU6R6KAtIIoClAaXL5qPim+kjvpaxdqOD2ffKPYPnoDk7fvXETDYKPJyTglZ6Q5fCYwHpBRycUoD6LY4ce02Ho32G0zC4lQZWzWtoWr8FkoyG/ZchipIVMhFXV0pfHqqQrhdJKD81bpSrtNVKE9xJcdxodb6UPo4LaX6t7dqSed6jKNvUGTccaXHS8EtH6TSD9L0kVEqlqMKNjVzZHQ36qB+ff59I8g8/mqTkrSrxMoQdx0H0y0zGZQwyAhtoWSn/AMeWvPbcnVnoRioqiLytPlqGQi53ah6KhTWvRIztwrhehBvzdMwZQUFvFAPb0g/drKMXLcYyko72MnMbRYTOxJMCfIam4+YOmTBkxkvNLHHmlSuYvwI4jsrGe1OE4pp8H9vSjfi5NzHuK9Ym4TW6UXR9XlXkewg3JeEUR1JTo7cnL6diABP2a4tyRHSPI2lSyoDzdRryrmlWn3Jzj5O8vTQ+4x/HeRT/ANRYtXX+tTkfbRNehD/2r8O2J2/zS9U5zOvaz1I2joxkuS10NQ73CltoKlkrINgon1ezib1ljaZbsT56uUul8Oo4ta8W39Rs/AjCNq3xUW3zdb2bPJTbxOiT81eg0fKFtyCCDY8wR2VKAeOGzpWURJy/XNksSD2nkEr8/nrBoyTHUfJasTNFhHZQCKgD2caGSQgpNQo6tEi2dT/w7v8AJrdY7xzZXc7SYq7DzTByH5lP4Y+Y0BB+a10pxatOR4ITPyTy8e9JcX0sttTEZpplxKuJ6kqxRKriwCvNQEBeEvZzw27Zoal7UDT53Wk6I06ndFeCzT2TS43Ojtym5XdqfdaS3JebW424hKQocrA2oDuyxoClAFAFAFAaXN5ZvFxgRZcp64jNH5VHzCgSOIvERv1E2qwzkaDIbyG4efbUcNAXZYjNqukzZCeNkoP5tJ+moW+iDWcI1YlLlPMTGa01DLyBezeXl5v2920lya8p5YU4onqQpZPTYqJsOHmrsS2Gip6o7bbQYnb/AArb70r/AOp5iA7nMslZ7kptf2dKFG3do7FcCT63mrld2j8hu+HVGZP1NgWn3mftBLndG3eIQtSFfgqtxrNX4dJPgyFGUiYlLy0OMMK4pDiehxX4p4gHz1hLJS7pnDHb3m2Y49MaGwVH6raBcnzn901ySk5OrOuKUVRG8YwMx31pTyYwI+gn11fcFQptG8JAbH5QOPqHatRHyJtUZTI+z8ckcITXLmoX+e9Y1FTQz14xIU0xCacc5d6BZKfRYi9b4Wq7zRcv03GgUgAeQAfBXUkluOSTctrNzjdOTJ4S6r+yRVcUuqHrKH71Pb6ak0pKjLCUouqZqs1GVhpoiqd75Cmw4hy1jY3HEekVxXIcroejbuc6rQwESUK7awNiYt1BXEGhSvy1CiR+asSj+0/klTWDHeVeTGA9Y81I5A+kcjWDRUb5STUMhFXOhkhJQ+WoUdOiv8cT/wAO5/JrdY7xzZXc7SX67DzTByH5hP4Y+Y0ByQ5tfo97XI1nD1rryNktTZjOY2BpyblC/p5WSiRsqk9MZ9twx2m1OynGA04hPUTw7KgOOvAhthuLt9uFltSa/wBu5uis1qDQIx+UMhKgx0YfJRcTjIyVdRHWmNjlv2sPUeSr1gb1i5GxW3xPXMvqAHAcavMOVB7Qr70GpzjkLTIt9T5aKROQoZVv5v5ac45BJzINtIW64jpQ2kqWb8gBc05xyHIG/O/OG2twT+pco0mdmcmVx9Jad6+lcl1A4FVuKWmrhTih5bD1iKzhWTJJcqPGLO6pzutdQ5TVOpZysjmsw8XpklXBI7Ettp5JQhNkpSOAArqSoc7Z2L4etqIEFmBuhr5kCGkh/RenXEXclLSbpmuINvUSR+TvwUfWPAC+q/ep7qN9m1XazqDI5/PavkqiQ21NxQbrZSo9CR9884efo+SuM6jf4nTcTGFD7pEycLEOqHqNnt6E/dPH0VAPPHY2Rk3iEq7tls/ln/J5h5SaAfkWFGgtBuM2EA/TXzUo+UmgMg1TJCD7zTCOt1Vh2DtPook2SUlHeNuXNck3Qklpr7wcz6TXRC2o9ZyzuOXUYTECRMdDEVlTzquNk8gPKongB5zW01j2xum4sLpel9MyUOIBF2kEeQH6R85+KpUlDdLN7ny1SjL1HimMkoE2bkobsy/5OJ4HyiuS/wB7sOzH7r6yKXm3Yzq2XUlDrSrKFajdQqiQpFuNDJGxZkhfPge2oZGQePw1iymXjpRhTo0gGwSoB3zoVwV8lRlRKpsRw5dlYGQgRfnQCSk+SoZDm0WLZwcP/bufya3WO8c+V3O0l6uw80wch+ZT+GPmNAciZDXEDN61g7RtKdx+stHaiy+os+2tpYETBKiz1QMqHDZBakLnNNoUFfnEup5tqthNmy2tpDfhQ0jvLp3N6kla28V+F8SmgJWLbb0ymBKblSoUwPpJeeUkuq6VNAp4vK49nbWDNkU+mp6IkXFZGInUBQi4qFLKAhzfTc7Te0m3uT1ZqeUWYiVpjw4TZHfzZCgVIjMJPNSyOJ5JTdR4CrGLk6INpHgBr/crU26+rZurtTvgyJH5LH45on2eDFSSW47IPYkHirmo3UeNdsIpLYc0nUl3ZLbA6rlI1JnI99L452zTCwbT30H82PK2g/T8v0fLbC7c5di3mVq3zbXuPRLG6YnZVaZmYWuLGIAbj/RcUlPBKQm1m0AcAAOXICuQ6x/xosaEwmPEZSwynkhA7fKTzJ9NQC6G1uuIabF3HFBKB5ybCgJRiRG4UdqM0LBA9ZX3yjzJ9NQooRzFUUMWQ73LSlWurkkeeqlVmMpcqG651OKK1kqWe01vWw5m67zbY7APTAiRKJjQ1C6Vfzjg/eJPZ5z8tZGI8WGI8RoMRWksMjiUjiVHyqUeKj6atCFVKBsALk8rVUiM41wO8OuNfeKbOaG0ZNjf9LNvsW6xrdLzCHPaJzalILkd5PrpX7QpLSfW6eltZKeVePazbl/Nlbg/4cVt6/J27Ow+7y9BxcHQIZOQn8zelW3RtUj0SW6nL7z41lHadQzLl0fg/dNd9/vdh8jiv3e0j7VUZKVxpSRxXdpw+jik/PWk3vpGhQyKhRQbj4qA2UeT1WCqxaKjOKQRcGoUleCVLgw1q4lTLZJ/FFYMzQoocagLKhmObRo/52P6hz+TW6x3jmyu52ktV2HmmBkfzCb8usfMaA5KgytzJu5Gbx+W1HBk7dvNztQz1OQ225cXHh6bio+DjlpIUtomP7Y5IWS51dTSPVWOnTI3wOJPd8aF2kGvd693tpHIGmdI6kKNPaJ2zGTGQzDWHgyQtWZyiHX3n45mPABppVglA48SLmLaW9HsSEggeiszERKPIfjrFlLCCOdGUTqA8vfeVbM6/wBeYLQev9AGdmJGgm8g1m9IxVKWpyLILThmx444OLa6ClwAdRQR036bVnCVDCcannl4b9rc3vhkEutRHYmncK8G9U5OxQhDibER21H67g4+VI487X3u7ReUwjCvUewmndHYXS8OHEhRWv7C0lmIlKbNsoQOkJaT2Dznia5W6nSvIOYgE3PPy0KJFFu2oDMxKR9qwer6PfD4+z5aAkwjjUAJZUtVgKpTWZdsx/Zkr5OdRHwWrOBqvcBPERG5sxIcAWwwkuvoPaEkAJ+EkCtqNA8nFFZKieNbEjExlKIqghPf/c9O1G2Gf1Mw62jOyEfZ2mGl/WnSAQldu0MoCnT+DbtrztUzflLDn+J7F1v2bz6Hwtor1bUIWWvcXvT/AGVw/M6R7SOvCZtodvNqYeTyTRGqNwHE57OPOp/LJadT/Y2Fk8fVbPWf3y1Vq0TE+BjpvvS2v7vt5T0fHes/P6jKEH/Ds+5Hoqu8127OqKOi5Nyvq5jlXZkd7sPl8fu9oy9VrT3MRrh1KWpdu2wFvu1pOgYyk2oVMsI7KGVS1Kik3FAbiO91I9FYGRMsBJRCiIIsUMoBHn6RWDMkZCkg9nw1CmOU8eFDJDl0d/jY/qHP5NbbHeOfK7naSzXYeaazKm0YedYHyGoyx3nD2IxO2TW9+ssjiNF6v07lkjLGTq9OZmN6b1VkIzSl5fHoxpmrbcXFMhSrqjoQVhxTSiW1VqZujSpzl4HNVeEXVevtey/D/tXqLafXreAZ/XHB5dTpiqx/tiegshUuSgK7617BBtR1EHFvYetg5D0VmY8S1VRlEzzqFQkQOVQDM1myr2SHJSfzDqkqPaOsXB+NNAQ2+GmutDDLcdLiy44ltCUBSlc1EJAuT2mgMJVDKJZQyLVUANuLZcbebNnGlBaPSDeoCWccW8kwzJaPqOD1h2pV2pPoNQDgRHaaTc2NC1GXq59AcgBPYlz501ttmm9wENNPDvZxv/MJ/wDUTW6K2mhm9mZGJBjSJ02S3DhxG1OyZTqghttCeJUpR4ACly5G3Fzm0kt7fAytW53pqEE5Sbokt7fkKNyWZLTb8d1Ehh9IUy+0oLQsHkUqSSD8FZRkpKqdUzGcXBuMk01vT2NHAe4oV4gvEXgNvGu8f0FtkVyNTFCh3bjrKkqlG/79zu4w/GIr5LJl/UtRVlbbdvf9/ppHzn6rpX/13QZ5ktl+/RQ6Un3PMua4+w7scWOwBIHJI4AAdgHmr7Gh+TFUhr2OQ+8oIbaN1LPYABXHkr3uw7cbuvrIgy8pc2a4+oFKB6rKD2IHK/nPM1oOqmw1Kh2/HQkRI8aGRSwNYtg2+EjqlZCNH5oUsKc/ATxNRlRNo7KwMkVPKoZCKqFQ5dID/nIP/wABz+TW2x3jRldztJVrsPNNXlv7sn+sHzGoyx3nKc3UWLmZTTGncSWnNX6f15qDv8MCPaG/Z4GUlOPLbHrBt9qWwQrkrvUWNzWtm5M5y8GG/W+e/wDkNXak3N2z0tpTTOJZdxcHUmFQW8gcxElpRKxk5l6U9IZLSD19DiE9hF6jVDKLbPTkch6KzNPEoRwoZiRFYgTUO2oU0ucjCbj5MUmxcR+TPkWOKT8dGDnyR1hxaVpIWglK0nmCOBFCmPQyoJ+ahSh7aAuZYffX0MsOPE9iEk/NUA+sHEzmNV1txbMO275l1YSD5+0g/BQDlk5BKfVKwFHki/GoBgZ+YHnY9zfpCh8ZFb7PE03uBk6acu5kLH/26eH+8TW+K2nO9w1d3cRqfUmjZeG0wlp1+U6g5CMtwNrejo9bu2yqyblQSSCRwFeJ4kw8nKxHbx6NtrmVaNxXBcN9D6Xwhn4eDnq9lNpJPldKpSeyr47q7k9pwAzrncfafIy4WMnzcC82Ve14Ga2SwVEdPWWHOAPaFJt6a/N8POzNMm4JuD4xe7zP1o/bMrSdN1y3G5OMbie6cXt6uZep+Y6m8LmgzpbQ7+rMi3157XzgmrfXxcTBQT7OhRPG7hKnT+EPJX6F4YwfgY/xZd65t/Lw8+8/KfqDrCy85Y8P5dn3fJz/AIvNsiupnSi3L348q+lPgGzQ5GQ4siOHD3Isst9nWe0/BXFkd7sO7G7vaM+e2kG/K9aDrW41JSSDQx3CJHx0My0ViwSDpvHKiIEl5Nn5IBCT9VHMD0nmawZUSI2LoFQyLiBxqGQkU0A4tIf4yP6hz501tsd405Xc7SVK7DzTWZb+7J/DHzGoyo5twE3TuV11rrL4/EYGdrrDYNuBP1HEQwvLLZRksqhnGS3GvygbaMVspQqxuq57K1yN0GcKe7+3Fk6z194h39xmcvg/EBqzIQs9uBo6Tgk4TGwYMIrgxDET1FxxwlwpdU8AtVgbr4qJiD3nr5WRqChmiwg9nEViyiJHMfDRlNTkCe7NQEUalxBWpeRjJ6lf+7bHOw+uPu0AxqGaYJbU6422gXW6oJQPOTYUKPucjGYKMyv2Fp99RDaSQLqIHrKub1ANtzVM7vLMNMx09gAKrfGbfJQGBLz+SdQrvJzvSfqpPSPiTaoBiT8ipBUorPVzCrm/pvQCmCykrJmYH31PiMUBvrNyAq9+PPsros8TRee4kfSqj7TPSRb+zD/1EVvW80PcOB9ZQSRWw1DS1JpvTGsYYgaowcTNxk37pMlF1t3FiW3BZaPxSK5srAsZUeW9FSXl4dT3o79P1TK0+fPjXJQfGj39a3PtQ4WlMsMsx2EJZYjtpaYZQLJQhACUpSByAAsK6IxoqLcjilNybbdW9rMR+UEXtxPYKwuXFDfvM7dpzfkNMpRUStR4k3Jrz5Nt1Z6MYqKojRZBQJqGaZqqBlh5mhUObC4MrUibMSUoBCo7B+t++V5vJWLYHyykqWO3jWJUOFAsgW7OFqxMyp8/KoVCdCji0nwzAH/wHPuVts940ZPc7SUa7DzjWZUXjp/DHzGoyo4nkDSOE33iz9R+GmJp/VeVfy8jSW9WGexUlzIsQYTj0qRkBGUxOY62T0KL7TqA4tCSvqUk1rZtjvI08J27O82vtSZ6Pvzp3CwM3qjTGP3A2nzWLYaS8NI5eU40nFyHEJ6yqK4hpRCiT691XNqjMotveekhHAHzCszSW0LEKjMy1XZUKjUZFq6FEemiA1VpIJ4cKgGRmNOFSlyscnifWcicvSUfufFQyTNbpuEXsgp1xBAhAqIULWWeCQR8ZoZCGqJPfzywDduInoFvvjxV9wVAMx4lJ6h8VUGvkvkoNj2VAyP81LWgKPE1TWbba94z16iHE9yqN8oc/crbaZruE44FHdSpXD6ccj4lpNb4vaaZbjZSjW5Go0TrhSrh2VmGwDi7eS9cl3I4R851WsdvbIRUbEk+muR7TroYch5KEGoyobb6itRN6xMhNph59YaZaU64eSUi9DJuqHhjdPojlL83pefHFDPNCPT5TUZEONXHjWJkbOC1xBI9NQqNwRwtQomU8OFY0MkiwjhUKOLSn+MJ/qHPuVts9458nudpJ9dh55rcp/d0/hj5jUZUcgYaTqlzdXcFnXe22ookzVSpendvdfRW4k/T8bTUZpTrDLjsaUuREclOhT7xfZR1uFtsKs2itcjbHeQV4Y9pPEZtpuhLi75a203rvA6c29Z0ztll8QtpiaMezkWXA1JiFph8pQlsJS4pKh9XrJqN1Mopp7T02twHnFZmkToCtDYWmsQYshsLQfRaoUaUhsoWR5KrBhqHOoBJKEJWtaUJC3LdagOKrcr+W1C1I7yOm8o24882n21LiitS0fS4m5ug8fivQzGo/CdBUhaFIWOaVCxHwGgNK/CWAQeVAM7LY7vUqFudDChpdL5hzReQnPOQlTYGSS2mU22QHEFsnpWi/A2CiCDa/lqxdDGUanQ+mMziM0FS8TNRKQWylxseq42bg2cbPrJPDtFdFt1ZzzVEbaYpKfpG3kre5qKqzXGDk6I0iyL9XbXJcvOfUd1uyoeViKnEp7a0m4wJEoD6JBtQGvS3LnL6WGVukm10jgPSeVQpt4mmXFHrnO92n+hb4qPpVyFYstB0RokaGju47SW0n6RHNXpPM0MxQjsqEoLMsKcUO0VgU3rTQbSOFjbjVMkLVGCzleozJMTrEo4tK/4wP6lz7lbbPeOfJ7hJtdh55rsn/dx+GPu1GVHFZ3hxk7cg7XYjWcaPqrH5oR1aTkExJ7jq/wBYnZHQ1JShchhKWoiytsLaA6T1ca1s2RZyf7v7BvHXu+Wodx9T6ozviGxzWL0/uRjtXSE+2QCXpEh9mKwlxYXD7xLSmXk2SQqwSmpIyt7z2KKRYeaszUIqSRQFtrUM0UNYsomRe4oU002L1gqA48zQDdcbKSQRUAm2nqVahUbctoZa6iONqhmaWWiJLT0yIrbw7CpIv8fMUA1JemMW/wBXd96wT96rqHxKvQDckaFbWSUSEL8gWlSb/CCaA07u37ZJC4EWQD2lxX3bUAQtEIxstM6BiIsSYjgmS050rt5L34jzGibQ5U1uN0vF5lxXUtKCo81KdB+aq23vLFJLYXJwOQX+cfZbHbxUo/MKhkKp02kk+0TVrH3raQn5STUqDMawmNZ4pj94rsU6ev5Dw+SsalM3oCUhKEhKRySOAHwUKJqFAWUMkLNMKcUPV51i2U38aKlpNyOJrECyhzFYmQkRwq1KWKHbUqXcJnnUKOLSv+Lp/qHPuVts940ZPcJMrsPONdk/7ukeVY+Y1GBkT8bjpsnHzpuOizJ+JUteKnPstuPxVLSptZYcUkqbKkqKT0kXBIPCtcjdEYyNAaTj7gTN0I2Jbj63yWDb05lMy0SlUrHMvpkstvpHBamliyFHiEkp5Wtibabak8jkPRW1nMWLHx1AJUMky0gVGZCZ7KhUJOJBFQGnlQgoEpFjQGuZiqS7xHKhUWz1/VBtUMkzUEXoUTVyqATVQCSkg8fmoBFSTVKhMi1CopQparnUAkRY1iUTI4kUKJ9BVcAXoDLYgqWbkWFYsyobtqKlpPLs51iUUI+SgE1DtqMyQgRaoUobVDIsUARQG/0uP+bJ/qV/crbZ7xz5PcJKrsPPNdk/zCfwx8xqMDVe4g/DWuRtiapfBXw1ibiSfqpPmFbUcxaRf92oBCgChsEzzrEFCARx41CiRQDQGOpq17CgNJKhqWoqHGhkjUORnEX4VDIxVII4EUAkQfJUAlQFhoUSUOYqlLOk+ShQLaiOXnqAp3C1W4ViyoXTAUbE8PPQpnNQkIsVDjQGahCUjgKwbMkX1CiRF+BoBFaeBt8VGVGMpJ51iUsNQyRS1+FqFHDphtxOUSooUE90v1iDbsrdZ7xz5PcJGrrPPNfkvzCfMsfMaBDVe5KrWzbE1a+fw1gbiSR9EeithzFlVgRUONQFKGaLFDtqMpbUKWHnUBary0AgpINxaoUx1x0q7AfMaGSMFyEgn6P/ANtQpiLx6bm3C9AY6sdxoBA43ieNAWHGkGqZFRj0jnQplN46/wBFsq9AvUZGxZcMMpKnGy2lPNSx0gfCajZU67hqZbWmhsChZzWtNP4gI+kJuTiMEW8zjqTWqV2Ed7XnOyzgZN7+XanLqi39xFmX8Tnh0wnWMnvbo6OtAuWm8m0+u3mSx3hPwCsoSU1WLqvIa8rHu4s+S9FwlStJKjo92xkV5jx8+FTD9YG5bmZWj6mKxORkX9CiwhPy1eRnP8WK4kaT/eb+HSMViFi9a5Xp+ipvFx2Qr0d9LSR8Iq/DZPjxI3zPvVNCNFY0/s/qLIn6jmQyMOGk+kNIkmr8JmLyF0EZz/eq6rWV/Zey2FYSeDZmZiU8oX5XDbDQPwVfheUx+Y8hG+a95tv7LLiMXpvRunQLgf2GVLcT6TIlWuPOmnwUPmZdCI6yXj38V8pbwVreLiihtDzjcXBY9ottvBJbX+UYWoJUFpKSedwRzq/CiY/MTI5z/ir8TmTfkxcxvPqmK60tTcmJFkIgdC0myklMRDVrHhWatx6DF3pvidYe7b17rzVXijYY1RrbP6kjq0nmXVRspk5ctouJXGsvu3nFJuLmxtWailuMHNvez6FqpiRzuVuRoTbTFYrJ6/1RC0li8vkkYyBk8ipTcdUtxpx1Da3QkpRdDSjdZCeHOtV29C0qzdEzuwdNyc6Thjwc5RXM0t9Ni3cdrW7aLMTIeShR8njZbGRxs1Ach5GI6h9h5ChcKbdbKkqB8oNKpqq3Ghwlbk4yTTW9NUa7DBc+l8NYmxElDkn0VsOUsPA+mrwKJqFxUAlQqKK5VDMs+WoiouLa7fQV8RokSqNXPyeMxjanMnk4eNbSLqXLfbYA+FxSaxbS3s2W7c7jpCLfUm/URnmd9dk8B1DM7u6Px6k/SbXmYalj8RDilfJWmWVajvmvOepZ0DUb3cx7j/JL2Ee5LxieGPFJUqRvJg5JT/NwRJmKPoEdldaZZ+Ovxr0no2fBusXHsxprrpH1tEY5f3hvhnxylJiZnUOdI7YGFfSk+gylMVpeq2Fxb7D1rP061e5vjCPXNf5akf5T3mOzEdCjitEaxyzv1Q43BiJPpUqS4fkrVLWLXCL9B32vphqEu/dtR/vP7iMct70Nu6hgNl1KT9VeTzYB+FDEU/xq0vWuiHpPUs/St/6mT/dh7ZEf5T3nG5khBTiNsdK4xXY7JkTpZHwBbArVLWbnCK9J6Fr6W4afv37j6lFe0jLLe8L8SWSKhDyWnMChXIQcM2tSfQqUt+tMtVvvil2HqWfpzpEO9Gcuub/ypEfTvGf4nZ6VoXu1kIoXz9jiQI5HoU3GBHwGtUtQvv8AE/Qehb8E6ND/ANun1uT9bI3zG/G92f6hmN3dXzkr+k2cvKbQfxGnEJ+StMsm7LfJ+c9SzoGnWe5j21+VfehgS9Q6inhQn6hys4K+kJM2Q6D6QtZrU5N72z0IY1qHdhFdSS+40habKuotpKjzUQCfjrE31YydQADImwt+SR92vq9I/wCHXWz+d/qX/wA5l/u4epmthtJkTIcdd+h+Q00u3A9K1hJsfQa9M+AOiZ+jtFJwu57sODCSdOZXNY3EzkN5Du2/s+M2uMFypUgd06pzqTZTSw+v1EdCfWADclL2rRhcBAlsmRPGnIGRyD8FtqKpnIFru3mFSkreclKWp3vloUhHR3XQk+sSAMaW/oTB6liKxEiHj+vF5iEjKQH38nFiSHQ8xisgpSwpzvVNkKeS2n8mSFIbSsFsAZS9a6LwCcCjBwW9RZBBbe1ZncxAZyLrzyTABRFdntBfdJS1JSgKQng4OrqskpoLNUbpwpiIKdPQlKRBhx4UCJmMdj5EeC0wxEZLTLbiZCXQsxevqcSFJJFu0mAiHOZdOWzGWy7/AHcZeVmPzFsgpCUF9xThSLBIsOrsAHmoD0A910oOeKaOpB60p0hmepSeIF1xbXIqoH0hVkDzF961+z5pH/PkH9HZGvF1z+Sv2vuZ+mfSv/mdz/dP96B4k7bb3bsbQyzL2611lNMhfB+Ay73sJ0E3PexHg4wv0lF/JXzdnJuWXWEmj9r1PQsHUo0ybUZeXiuqSo15z0g2t96BKSY+P3m0ImUkJSheqNLkNulV7FbsCQvuzccT3bifMmvXsa091yPavYfmuq/S1bZYV2n9mf3SW3zp9Z1xkvea7AxPUx2C1lmbcnG8fGYQfR38tCv4Nd0tZs8FJ/brPm7X0u1SXelaj+Zv1RI+y/vTtFNdQwW0WfyBH0FT8hEhi/n7pMk1qeuRW6D856Nn6UZD/mZEF1RcvXykXZT3pmtnXD9i7Q4OG19X27KSZKvh7plgVoetz4QXnPVtfSjHXfyJvqil62xgZj3mG/c8KTitP6NwCTyUiFKlLHwvSrfwa1S1m89ySPQs/S/TId+d2Xal6okY5Lx6+KbJKJTuIxi0nk1AxGOaA+FbDivlrQ9UyH+L0I9W19P9Fh/ot9cpe1Ef5fxXeJPN9Qnb06mbSsWUiFIRBFv/AMohqtUs6/LfNnoWfCOkWu7jQ7VzfvNkX5PcfcXNOKdzG4Opso4r6S5WYmu8/wAJ41od2b3yfnZ6trTcS0qQs211RivuGlJfkTVFc2Q9NWea5DinVfGsk1g3U7IxUO6kurYIJQhH0UJT6ABUMm2y6qQKAKAKAKApYUBaQaAof/HZUBYlxtSulK0qV96CCfiFC0Y4MTpbVGecS1gtMZjNuKNkox8CTJJP+6bVWcYSluTfYc97Ls2f5k4x65JetjjkeFrxI5+WJOJ2N1nJjrbQEPuYt2Mkm3lkBvy19XpcJQsJSTTqz+d/qFlWcnV5TtTjOPJBVi01VJ1VV0D9wHu9vFznktuI2tGEbXYh3L5bHRSm9uJQmQ44LX+9r0aHxBMeI91N4jMkhL+W1LofBurPUtp6dNlOAniSS1CKSeJ+tSgJSwHuh9WOlB1TvbiYANu8axOGflHsuAt+Sx5+PTVoCW8Z7ozbFnuzmd3dWZEi3fCJGgRAry262nyL+k0oCW8F7rvwt4lSF5GJqrU6k/SGRzTjaVelMJuLSgJXxvgJ8IuLWhxnZXFSlt8jOlZCYD6UyJLiT8IpQEw4DYDYzS6UjT2z2jcSUfRdj4SClzt/nC0Vdp7aoJKx+Fw2JSU4rEwsYkixTEYbZB/+WkUBs6A82vej4LN5vw9YFeGxE3LJxGsoc7KmGw4/7NFTBnNqfe7tKuhAW4lJUeFyPLXj63FysKi4/cz9H+mGRbtapLnko81tpVdKvmi6Ly7D54K+SP6GKjmKAkoch6K2mgKAKAKAKAKAKAtUtCOK1pT6SBUKkxePHkTP7nGemE8AGG1O/wAQGqlUxlJR3tLr2D8we0u62pigae2y1XmQ5boXFw01aDe1j19109o7a2xx7kt0W+xnn5GsYOP/ADL9uPXOPtJSxvg98TuU7v2fZnOsBy3SZiosS1/vhIfbI+EVvWnZD/AzyrnjPRre/Jh2VfqTJRw3u7PE7lSj2zA4HTqFWurI5hlZHpTDTJrfHSMh70l2+w8q/wDUjRrfdnOXVB/5uUk3He663gfWn7U3D0hjmz9Mx0z5Sh6AplgH463R0O7xkvSeXc+quAu5ZuPr5V97JVw3uq4AShWot6JbqvrtYzDNMj4FvyXv4tdEdCXGfmR5F/6sz/0sZfmm36kiScP7r/ZWIrqzOtNY5oD+bQ/CiJPPn0RVK+Wt0dEtLe2/N7DzL31T1GXct2o9kn/mJawnu/8Awt4fpL2g5WeWn6+Uy092/Pmht5tHb97W+Ok46/DXtZ5F/wCoetXd11R/ZjFfc2STiPCZ4a8G6H4Gy2ly6nkqXCTM/wD1Jd8tb44FiO6CPMveLtXvKksm52Pl/doS3idA6FwKQjB6LwWGQOATBx0aOPiabTW+NqEdyS7Dx72oZN7+ZcnLrk362OltttpIQ02ltA5IQAAPgFbDlbqX0IFAFAFAFAFAFAFAFAFAUIBBBFweYoDjnenwKeH7edUzJStNfqRquWsuuaq0z0Q3XHDzVIjlKo7vUeKiW+s/fivPydMs3ttKPpR9hovjjU9MpGM+eC/DPaux95eenkPIzen3b2+u2XtGU0ay1uzplsrX3+GQWsmy2m5Bex7iipRsP5hTnoFeBk6PetbY+8vJv8x+taL9SNOzqQvfwZ/2u6+qX/a5SKcJ4b/EBqBDbmJ2Z1e+04Loeexb8VB/HkhofLXPHDvy3QfmPoL/AIm0uz38m32ST/dqSVh/A14pcyrpb2texqe13JZHHxk/EZClfJW6OmZD/D6Uebe8eaLa/wBev7MZP7iWsH7s/wAQWSAVlsxpDTiTzS9Okyljn9ViKU/wq3x0W+97SPHv/VDS4dyNyXYl65fcSRiPdX6zdcH29u/hoTXb9n4uRJV2/wBK+wK3x0OXGa8x5l76sY6X8PHk+uSXqTJYw/ustvWE/wDPt1NS5Nfb7DFhQk/E4mSflrfHQ4cZP0HkXvqvlv8Al2ILrcperlJJw/u1fDljihWRc1VqFSfpJmZUMoV8ENmOflrdHRrC31fb7Dzb/wBTtWud34ceqNf3nIlXG+B/wtYxtCEbSY+apH89OlTZSz6e+kKHyVvjpmOvwes8i5461qb/AOIkupRXqRJ+C8P2xumgj7D2i0jAU3boeTh4i3Ba3HvFtqVfh5a3xxLMd0F5jy8jxDqV/wDmZFx/nl6qkowsXjcY0ljG46Nj2UiyWYzKGki3DgEADsreopbjyZ3Z3HWTbfldTOqmAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUAUB//9k=" + + ATAP = " data:image/jpeg;base64,/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAUAAA/+4ADkFkb2JlAGTAAAAAAf/bAIQAAgICAgICAgICAgMCAgIDBAMCAgMEBQQEBAQEBQYFBQUFBQUGBgcHCAcHBgkJCgoJCQwMDAwMDAwMDAwMDAwMDAEDAwMFBAUJBgYJDQsJCw0PDg4ODg8PDAwMDAwPDwwMDAwMDA8MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgBggD6AwERAAIRAQMRAf/EANAAAAEEAgMBAAAAAAAAAAAAAAACAwYHAQUECAkKAQEBAAMBAQEBAAAAAAAAAAAAAQIDBAUGBwgQAAEDAwEEBAcKCQoCBwkAAAECAwQABQYRITESB0FREwhhcbEiMhQJgZGhwUJygrIVdlJikiMzs3Q1ONGiQ1NzNLQltRbhJIOTRDYXN3fw8dJjVGSUJhgRAQABAwEEBgcFBQYGAwAAAAABEQIDBCExEgVBUXGBMgZhkaGxIhMHwdFCcoKSsjMUNOFSI0MVNfDxwtJzJFNEJf/aAAwDAQACEQMRAD8A9/KAoGJMmNDjvy5khuLFjNqdkyXlhDbaEDVSlrUQEgAakmg0VqzLEL72ZseV2e8h4ateozo8jiB2gp7JataCSUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQdBO8l7RXkP3fzNsEC4f+KPMWN5pw7HnkLajLOuyfcNFsMaabUDjdH9Xt1qVHgN3iu+rz47yzsmDmGRf7fwd1QLPLiwFyNa+FKuJBlEqLstY2bXVFOu1KE1Kiko6Esdk4wAw4kApcb8xQOnQU6EVBZ+N86OcWHFH+1ea+YY+lv0GoV7nNtj/AKPtSj4Kouawd+fvaY46lyJzsvNwCdPzN2YhXFB06/WY61fDSou+ye1O70NsbQi5NYbkhR6Tsy0vMOK8ZiS2U+8mlRdeN+18y5goTmHJO03FP9I7Zbu/DPuNyY8gfz6tRctg9rrynlupRkvKrLrG0dOJ+E9AuAHX5qnYyveFKi8LJ7TLulXdtCpeYXjHVq3s3Oxz+JPjVGakI95VKi68Z74Xdfy5SG7LzyxMuuaBDE+cm3OEno4JwYV8FUXRZs7wjIlBGP5lY76s7Qm3XGNKO3wNOKoJVQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFB5se1WyzKcR7rPrOKZHcsZlXfL7Ta7nLtclyI8/CfalKdjrcaUlXAsoTxAHbpodlSR8vyEpQnhQkJHQB4axB167PBQWSj0EfNHkoFUBQFAUBQFBggKGigCD0Ggw2hDKw4ykMup2pdb8xQ8RToaCxbHze5tYy2lrHeaeYWNlG1DMG+XBlA8SEPhI96rUXTjffi72OLKR6jztvdwbRpozeW4l0SQOgqmMOrP5VKi7bL7UnvS21TP2ivD8iQ3p2iZlncZU541RJLIB8QpUXhjvtfMxYATlvJOz3LZ5ztnu8iHt8CJEeT9arUXJjntduVkxaUZXynyuwAnRT1ukQbmgeHz3Iiv5tKi7LP7TjumXQtJlZPfbAXdOL7RsU3RHzlRkPj3iaVF4Y33xe67lZSmz888SDihqGZ89Ftc/InBhXwUqLlsPMHAsp0/2zm9gyLXd9mXKLL/UuLqiX0BQFAUBQFAUBQFAUBQFB5ce13/hTt33+sn6ibUkfM9u21iDTZu0oLJR6CPmjyUCqAoCgKAoCgKAoCgKAoCgKAoMEA7CAR1Ggw2hLSw6ykMup2pdb81Q8ShoaCf2bmrzTx0tGwczctsvq5BYTCvk9lKNN2iUPgD3qou7HO/D3scXKfUOd18noSNA1eERLoPdMxh1X86lRcmPe1B71VmcSbpcMWy1oHzm7lZksEjq4oDsbyUqL0sftfM5ZQlOTclLHcnBpxO2u7yYQPXoh+PK0/Kq1F0Y37XbldLLact5T5VYCdO0dtsiFc0DrI41w1H8mlRdFk9p73ULu8hqZf8AIccC/wCludjlFA8ZiCTpSovGxd8vusZGlKrbz1xJBVpo3Pmi3r29aJgZUPeqi6Mf5iYBlqUrxbOcfyVKwCg2u5RZmuu3+hcXQTGgKAoCg8ufa7/wp277/WT9RNqSPmd39GtYjOuvvUFkI9BHzR5KBVAUHo/3Ne7Hyq5p4BkOXc4kzEJzDJ4+B8plRpL0QpvBiPSXZA7MgOgHhTooKSOBWo21Ygeet9slzxm+XrGr1HVFvGPT5NsusZY0KJER1TLqSPnJNQXjyG5DHndbOcc9OUf7aXynxB7K0tGJ60meGe0JjE9q0WtQ3sV52/dVoOu6FcSUq004gDp46gsLlnyuzfnBk/8As3l7aE3zJDAlXJFuVIZi8UeGkLeKXJC20agEaDXU9FUROz2S8ZDebdjthtki8X67ykQrVaIaC7IkyXFcKGmkJ2qUo7ABUEov3KvmhixWMk5a5VYQ36a51mmsoGnWtTIT8NBAtRxKRuWg6LQdhB6iN4oM0BQFAUBQFAUBQFAUBQFAEA7xrQJbSllwOsjsXQdQ635qgfAoaGgnNl5m8y8beRIx7mNlVjeb/RuQbzOYI02/IeAqi77D32+9hjqEtweeOQS206aJugi3I7PxpjDyvhpUemvs+O97z05781shwTmhkFuv9mteKSLvEkNW2PDlesszIjCeJyMG0FPA8rUcG/pqxI9gqo8ufa7/AMKdu+/tk/UTakj5nt+ysRjy9NBZKPQR80eSgVQKQ268ttmO0p+Q8pLcdhI1UtxZ4UpA6SSQBQekveqy25d3u291jkJilwS1d+Rdug51lj0bQKXksx0yAF6aeiO1Oh3pcGtUVh388Ys8XnPA5o4qrtsP5+47b85sshAPB28psNzEA7teNKXFDoK6SJt3Chrj3fD/APSCd9WTSB52s/omvmJ8lQd+fZtfxPQ/ufkf+HRVgUT3X/4neR/39tn+KoOyveD73feVwDvCc4McxPm7eLZj2P5VNiWaxrbiSI0eO2ocDSUPsOeaOomlRs8G518u+95Lh8ou8vjFjxvP76kQeXHPzHobVuls3JZPYx7m0jRtaH16IGzgJPDwoUQsXeOgfMXB8i5YZjluAZVHTEyPD5z9vuaGyS2pbW1DrRIGqHEFK0HpSRUHafvE4Vym5Y81uQ6F4c6zgV35e4lkXMCwWd9bUm4OTEuqnrZddc/NuuhI0IUkA9VBvrBZO4FzCyaxYzaWudGC3LJbhFtdtS65arhFEma8hhoLWe0cSniWNTt0oJHzC7r/AHScRzHJcDe72lww3KsVmKg3a2ZLjb0llt4JSvhEqIGkLGigdU0oOjuf45Y8Sy+849jWawOYljty2hb8ytjTjEWalxpDilNtukrTwKUUEE70mgh1QFAUBQFAUBQFAUBQFB6g+ya/iJzL7gTf9St9WB9DlZDy59rt/Cnbvv7ZP1E2pI+Z7494rEH/ALa0Fko9BHzR5KyoM1KDt53GuWkfmT3jMPVdeyTjXLxD2aZM6+kKaDFo4VspXrs0VIU3rr0A0gWjzE5s9x7nTzAyjPs9xTnBYchyaaXrjdbTcbZMiuBpIYaW0w6eJCOzbTokbqs0Fhc7ofKTmx3LLHcOSOQ33Jbd3Xr83DmLymK3Gu7FovhKSyrskpSttta2uFSRpogjemgr/uEHWw98FtJ1cc5Pz+BsbyAJGug8GoqQPOxn9E18xPkqDv17Nka95+H9zsi/w7dWCVEd1/8Aid5H/f22f4qge72v8TvPj75XD6wpI69du7EKZcdZbkRCH47o3pcaPGhQ8RANQd8faMhqbzgwvKjHTHuWb8rscvN64RpxynG32ypXh4UJT4gKsjWd+v8A768kf/RbDv1L1JHWvkx/5x8pPvrYP9RYoLU76X8V3Pf7zL/wzFJHWGoCgKAoCgKAoCgKAoCgKD1B9k1/ETmX3Am/6lb6sD6HKyHlz7Xf+FO3ff6yfqJtSR8zu7fsrEHgNBZSPQR80eSswqg7ZcnOemG8puQfPzEYNtuiub/N1iPY7ZkDTbaYUOyaBEhBf7UOBag48eEN6E8HnbKDqYAAAANANgFSg7odynPcNseYcxOWXMy8wrDy654YdPxu9Xe5vBiFEmtoU7BfdWo8KdCpaUqO5Sk7aRAgvdm5vRe71zkVccnYGQYTdI0/D+ZEKCtLzcu1S1di8+wpHEHQ2pAdTwnz06hJ86oLkzDuCcxLvKOTd2+42jnfyovRMrG7xa7lEZmxGHTxNxJrEl1vR1pBCSQdTp5yUHzaUFs8p+VNz7jONZ7z0543C3WHmVdMcnY5yf5Zx5jUyfImXBGipUhLClJCElCdSklKU8RUoKKUm7h0m7q3F/8A0tyFK1caznFoK1npPrA1Pu1BvO95aLxH7y3PGZIs8+PDl5fPdiTHYryGXW1KGi23FICVJPQQdKSNd3fO7fn/AD/zizWC0WOdBxLt0P5dmkmO43b4NubUDIX26wlC3CkFKEJVqVHbokEgJV34eadh5rc+cmm4i41Iw7CrbFxDFpjCgtqRGtSVpW+2obChTy1hBG9ISemkiX9+v/vryS/9FsO/UvUkda+TH/nHyk++tg/1FigtTvpfxXc9/vMv/DMUkdYagKAoCgKAoCgKAoCgKAoPUH2TX8ROZfcCb/qVvqwPocrIeXPtd/4U7d9/bJ+om1JHzO7taxGT1nxUFlIB4EfNHkrMZoORGjOy3gwyAXFAkBR0GwanbWnPntw2cd256PK+V5+Z6iNPgiJvmJmKzSNkVna5qrJc0/8AZ+LwpUk/HXNbzTTz+L2S93L5E5zj/wAiv5brZ+1xl26ej0ob35JPkrdbrMN26+PW8zL5a5pi8WmyfszPuq47jLrWnatLa13cSSny1utyWX+GYnsl5uo0WfT0+bjusru4rZtr64biw5Rk+KPuysWyW7YxIfGj79pnSIK3B+OY60FXu1lRzTMQ4V1u92v0526X27Tb5c3ho9crjIdlyFAbgXXlLWR4Nak1Imrl41kl8w7IrJlmM3BdpyLHJrVwsl0bSha48lhXE24lLiVJJSehQIqDuJC9or3sIrKI8rOLTemkbALlYbc7r4+BpurUQbmd30e8dzasDmKZPnv2fjElJROsWPxGbSxJbVsLb5jgOLQelBXwnpBpUdVloCm1NjzQpJSPBqNKgvfn1zlZ513rBLw1jzmOHDsIs2IPR1yRK9YXaUuJMlKg23whzj9EgkdZqiveXN8gYxzDwHJrqXE2rHMktV0uamUdo4I8OY0+6UI1HErgQdB0mgnXePzzH+aHPbmhzCxRyQ7jmW3pU+zuSmSw8Wiy0jz2lalJ4kHYaSKTqAoCgKAoCgKAoCgKAoCg9QfZNfxE5l9wJv8AqVvqwPocrIeXHtd/4U7d9/rJ+om1JHzP+OsRg9JoLNR6CPmjyVahVWo5UKSYUlMlCA4UgjgJ0G0ab60arTxqMc2TNKvY5Fzi7lOrt1NlsXTbExSZpHxRToSiBelTZKI6owbKwTxhWu4a7tK8HV8rjBjm+Lq09D9a8u+fr+a6yzS3YIt4q7Yumd0TO6Y9HW2M64NW9LS3krUHVFI4NNmg16SK4tJo7tTMxbMbOt9T5g8x4OSWY781t0xfMxHDTZSK7azCL3i5x57cdLIWC0pRUFgDeBu0Jr3eW6G/TXXTdTbTc/JfO3mrS86xYbcEXxNl10zxREb4iNlJlzccipU3JkOISsLIbQFAHdtVv9yubnOeYm2y2adP3Pc+mXKbb8ebVZbYmJmLLaxE7viu3/pg5kERoRW5DTaUFpei+EAapV16eGsOUai6ck2XTM1jp9Dp+o/J8MaPHqsNltvDdSeGIitt+6Zp1TEetFY6ErfYQsapW4hKh1gqANe7mmbbLpjfET7n5Ny3Fbm1WLHfFbbr7Ynsm6IlOFWG2HXRhSfEtX8tfLxzXUR0x6ofveT6fcmv2Riujsvu+2ZcGVjjPZqMRxaXRtS2s6hXg102V1YOcXcVMkRTrh89zb6ZYJxTdor7oyRutvmJtu9FaRMT1b0QIKSUqGiknQg9BFfQVidz8autm2ZtuikxsmOqWKMRQFAUBQFAUBQFAUBQFAUBQFB6g+ya/iJzL7gTf9St9WB9DlZDy59rv/Cnbvv9ZP1E2pI+Z3YfBWIxQWcj0EfNHkoFUBQbex/vFn5q/qmuDmn9Pd3e99j5Bj/9rD2X/uy22SDViJ/aK+rXn8k8d/ZHvfcfVSP/AFtP+e792ERKeqvon4snrSRbbRqfNU0yVq1/DUNfKdK+SyTOq1fbdTuj+x/ROkxW8h8v1nZdZim6f/JfFf3piO4iL/mNlS2dq1tFok/hI2A/ADWWf/1tZxdFa90uflEf655cjFO26cc2frs2Wz64tlC4oIlxgRoQ8gEfSFfS6j+Fd+Wfc/D+URMa7BE7J+bZ+9CaX7j+z18HFxdojTh113+CvmuUzHz9vVL9y+oluSeVz8utfmW+GtenqN2AyDEc7fj4e0/Mleuumm3TXo1rPnEWfNjhpWm2jk+nF2ru0F/z+Lh4/g4q7qfFSu2le6tUXuwSLlMCd3aanxkDWvc0G3T2V6n5V5uttt5vqYt3cc+uYiZ9rXV1UfOCoCgKAoCgKAoCgKAoCgKAoCg9QfZNfxE5l9wJv+pW+rA+hysh5ce13/hTt33+sn6ibUkfM/qPerEB6urpoLMR6CPmjyUCqAoNvY/3i181f1TXn80/p7u73vsvIH+9Yey/92W3yT9BE/tFfVrz+S+O/sj3vuPqr/Taf8937sNBbI/rM6O0fRCuNfzU7TXr6zN8rDdd00p635r5X5b/AKhzPDhnw8XFd+Wz4p9dKd6cS5MRhKUzFJSh3XRKklQOng0NfLabBlyTXHWsP6D53zTl2jtizXXWxbfWkXRxRNPRSd2wmI/BcCkQltkJ85SGxw6a9Omgq6nFmtpOWJ6qy1ck5hyvPF2Pl91mz4ptsjhpXZWlIRGXG9XvKUpGiFvtuI8SlA+XWvotPl+bpK9MWzHqh+L855dGh8xRjjw3ZrL47L7ou9k1hMZctqE0X3uLgCgk8I1Op96vmtNp7s93Dbvp0v3HnXOcHKcH8xn4uHii34YrNZ74al7IoaUEsJcdc+SlQ4QPGTXo4uTZZn45iI9b4vX/AFN0FmOZ09t99/RWOG2J9MzNaeiENccW64t1w8S3FFS1dZNfSWWRZbFsbofiWo1F+oyXZck1uumZmeuZ3kVk0igKlBipQFQFAUBQFAUBQFAUBQFB6g+ya/iJzL7gTf8AUrfVgfQ5WQ8ufa7/AMKdu+/tk/UTakj5nhsrEB3E/BQWYj0EfNHkoFUBQPxpLsR5L7JAcTrpqNRtGm6tebDbmsmy7dL0OWcyzcu1FuowTEX21pWKxtik7OxyZlykzkNofCNGyVJKRodSNNu2tGm0WPTzM2V29b1OeeadZznHZZqOGlkzMcMU2zFNu2SYE5UBxbqGkuqWnh84kaDXXZpV1eljUWxbMzEVrsYeXPMN/JM92azHbfddbw/FWKRWs0p10KuNwXcHG1qbDSWk8KUA6jUnUmpo9JbprZiJrWWzzN5ly88zWZL7Isiy2kRE13zWZ2037PULbNECT2ykFaFIKFJSdDt3eSmt038xj4Ymk1qnlbn0cm1v8xdbN1s2zbMRNJ27t/VMOZPuUaXIhSENuNlhQ7UKA2pCgdmh8dc+k0eTDjvsmYmu7tpR7XmLzRo+aa3TarHZfbOO6OKsRtti6LopSdsxt2bN7l3W6QpsNTTKl9oVpUEqTpsB660cu0GXBl4rqUpPS9rzj5v5fzbl84cE3cfHbNLrabIrXbthF9BXu1fk7GhoMUBQFAUBUoClBipQFQFAUBQFAUBQFB6g+ya/iJzL7gTf9St9WB9DlZDy59rt/Cnbvv8AWT9RNqSPmdOm2sQhS0I0C1hJVsSCdNT1CgswPNISkLdQghIBCiARs6jQKDzJ3OoPiUKBwEHcdaAoCgKAoCgKAoCgKtQbOqrUY4eqqMaEbeigxQFAUBQFKDFY0BQFQFAUBQFB6g+ya/iJzL7gTf8AUrfVgfQ5WQ6Yd+vkBkneS5MWvlzjF7tmOzEZZbbtMut1Dy2W40VqSlzhQwlSlrJdGidg61Ckjo1y+9k5yisi0SeZGf5DnzwA1t1tQ3Y4eum3VSDIkK29TialB3l5d92XkBypZaRg3KbHbZKa4T9sSoibhcFKTuUqZN7Z7XXbsUKtBaczEsSuJJuOJ2O4EnUmVbYrxJ8a2jQRyXyh5Sz0qRN5WYfKSoaKDlit511/6CghVw7rndvunF67yOw1ZVsKmrY1HPvsdnpUoITP7jvdUuPFx8n7fDKvlQZtxjaeINygB71KCISvZ391iQpSm8QvMTi+SxfpwA8QWtdKJVGJ/s1O7ZJ/upzC1E66Fm8pdAPifjOUotUJn+y45PvcX2dzHzO3E7Eh0W+SAf8A8don36UEPl+yqx0qV6hzsuraPkpk2SO4fdKJSPJSgjk72VM8A/ZnPCMtXQJlhcSPfamq8lKCFz/Zac1Wtfs3mjiE8bdA+xcIx8G5p4VKCGzPZm94qOrSLc8KuKfwm7rIa+B2GmlCqOzPZz96GKkqasWOXDTcmPfY4UfF2yWx8NKCGT+4v3qrfxa8qX5wT0wblbH9fEEygfgpQQud3Ue8vbjpJ5HZadumrEH1ge+wpygjcvu/894KVLl8mM2YQkaqUbHNUBp81o0EMn4JnNr1+1MGyK3cI1UZVpms6Dw8bIq1EXfYejEpksuRlDel5CmyPGFAVRxS+yN7yB41CgUHEK9FaVeIg0C6AoCgKlBipQFQFAUHqD7Jr+InMvuBN/1K31YH0OVkI/kv7uT/AGyPIaCB0BQFEoKCI53lacIxedkioAufqkiDGbhKkoiIW5PmMwkFchxKktpSp8KUog6AGiojL5nOxE5GqVa2YLmG4o1l2RMsvoubS4jr8tAahyWFsoccDcB46lITxLb2+augfsXNyxX3KziqLRdret673SxWq9Sm4/qc242ZhEmbHaLT63klLKitJcbSlQSrQ6jQhyrXzUstzefCrFkNst6b9/tuBf50BLcCdcBOct5RFeQ6sqAfaUCVJToBrQoYic5uWdwx20ZVEyPtrJfYEq5W2Q3FkuOKZhS48GQlTLbanEuNyJLbRbKePiVsB0NESROZ4uXcajvXYW6bmUiTExe23Fl+DLmvw21vSG240ptt0KQ2hSjxJGzaNdRqKuIeYmCJvNzx05bbRe7LoLvAL22MoqbRwOuadmlfE82Cgq4gVDUbaK2Nyy7E7O85GvGU2azyG5CYjrM6fHjKTIU0H0tEOuJIWW1BYTv4SFbqDfFxtKm0FxAW8T2KSoAr0Gp4QTqdBt2UDg27B5xO7TbRKM9itR0DauLTXQA7juNAktOJ181Q02nUaaUKkBS07lKHumil9u9pp2yyOriNBwJEGDMBEyBFmA7w+w26P56TQaWRhmFywpMvDMflBXpB61w16/lNGiUQ64cieSF21+0uT2FyyddSqxwQdu/alkGghE/uhd2K5cXrHI/GGyobVRWXYp9zsHW9KFUXkdxfuqSNdeU0djX+ouVzb8kuiorP9nf3W5vEWsXvlsJOv/J32YAPAA8XRQQqd7Mnu/SNfUcgza1666BNwiPgf9bDJ2eOghkz2WPLdxRMDm1lUVOmxL8KA/t8aQ1QR2Z7KuylKvs7ndcG1/J9bsTK0+72ctBoIdP9lZlqOI2rnRZJG3zEzLPKZOnhLb7vkqUSqEzvZf8AO1g/8hnGFXFOp2qduEc6dGwxF+WpRau4PcJ7oPNbkBziyLLs3m49Ls9yxOTaWDaZrr7wkOTYjyeJtyO1onhZVt136VYgeu1UR/Jf3cn+2R5DQQOgDuNAUBQRrL8XhZlYXsfuLnZwpEy3y3x2aHQsW+axNDSkOapUlwsBCtRuJoK9zPlI9fZd2Xi+QRsMtuVY + 0nEMrtLVsbfaNrQ/IeS5bwh1hMaQBLeRxKS43ovUt8SQSHDxnkpDxPmBJ5g2qdFTdLvkF9uGQrVGV2sq13ZhoR4IX2hAXFfYbWHNPOTxJ0GtEqjdi5LXyz3e4v8AqeMRmZmat5U5kUN+4faU1lN4euXq8uO6gx0qQ29wJW2raQNdlFRZfdyyOOi1xrbfYLFtXiMa2X23NreYKL6ibZFyp8N5tHGlMmNahxa6KDqUrHprICcZ1ytyi95FEyS0TvWnOXcO3yeXLd0lGXMnXFu6JuU5MqZI1Wwl1MZiOFhSiUFYV5tBqHcQzpjllkfJ1rF5ravXn5tpz63y4AjSkSb+i5B4tvOl9uYlpxSl8bCm+NBIUpKkghC7jy5zrHeY96vzz2XZba5ORrlM5XHttju1xkRnMet8QB2I6ywx2SXmFtFSWg4OEdepCwOaFm5gzeYOLZrYMcZu9h5VN2+5QYSluJuEuVcJnZ3YW9pCFIcW3bUFspWpA1cISSaFVVZ7YcjnYanGo+P3t6XglqzVrJEpgy+yfRc7rHVD9UcDfDL9YY4nEpZKyEBXEEnzaDbv40xduYNhtdlst0hckrnfZarJZuzuVsY7ZGN3Fyc600osPsRlSRH7MHgQXkrLY26kDDH4eHK5AmTcZV1mZFYrMzNwyRebp9sx7ndNQ7eURHXlpmMq85MtD2xlDYWjTzkqCUZnnt3tsXLLRb8ncYyi05Vkj67Uh5Bms2WPjcu4RnQ0rVQjoc7FxKtOHi0GuuyiURO059m96uGH4XkGaysYvbE3HbRmV2tvqrCnjJtF+uLc1hU1h5tKZ7cWI6rzSAoLbGmiqKsV6/5lfOXuI5Bac7XbprmVN2F6/wAC329+PeYL19FpanBqS08lHaMjtU9kUpKla7UcIoIo9zoyixK5iJuclM049Bun2I5cLYITCpzd/FitvYOsLBlsqUoKlEJBbVoAoBYABpnvE3lQt8h20Qfs664jZJ8WehDqm2shmTZceXEeUF7GVtwXixsCuJHConiSKDnZJz1yTFGJAubWNMXxN9nwX8UnouEGXBYiwpk2LFWvV31p+emMlMZ5lvsllR4UKKdKCZT+djcGfmUByyxYTmNW60S4SblcURSt+c7DZnszSlt31ZMBdwjhxeitdVaDzaJRpIneLt0qLkMoY0jix3H3L8q3N3eOZtyQ2ua2n7JYW2j1ph0wuJt/iQkocQopG2ipC7zthvy7WzjuH3TKYl4u8Gxw7jElW9hHrk+1JvDaSmTIaUAlgqCz0LQU79KCbcvs4Z5hY8zksSyTbJb5nCu3InPQ3XH2HEBaHQIciQG9QdOBwpWDvSKCcUBQFEok2KafaL2z/s6vrJoQsKio/kv7uT/bI8hoIHQB3GgXvA1ojHCOiiqt5z3GbaOXd1mwJ7ltkC42NhUxqYq3KDMm8QmH0+uI85gLacUhSx6IJNB1rxTLcovvMTAsdl5NeZFuhRMjNwhRcsaiNKXCyZiPHUbi4lIvLbER4M8QAU55wI4waDiYrzO5jRjFky7xf5abmu3XD1G8LgyBc0u5eLYv7G9WQpTMcxwY7jbxCwpbSkIG1ZCz4mX5vA5XYDzXXk1yy2fzCn4kqbikKJbvUmG7zNYTLhWtCmmHAtCHVMavyFK1BUSlVCjkDOeYd/k+sW27O4U05zObwhNhutnhyJDMN+AzJDr3A+v86lalacLhSUqGu0UG25c59mV/xbPcmvkxMpzH15Gzaof2E9AhhVlnTorK25xfWmVxpipLiUBPCSfBQaKxc/pU1q1wLhbT9v3W/wCIWtkMWy4m3+rZBb7VLlLVOShcZDraprvZpW6DoEApJPnBDofegvb9ksNwci4hxXu5WyDIvipF0ZtdtXcbbcLgqHMCWH3zJZ9SQkloKbIdSrzdCKC4MU5wPZFzDlYE7abfxs3GfbRKt89UiSz9nQYkxc2VEWw2WYrypQaaXxklfCCnztgbGxczb5f7xjMCLhLYt2Ss3OXGuqrugOMMWic3AlKXHMYaq43EqQlK/OGupBolD965oG1XrNrczi8u6QsBiR5mTz2Z0RElDT7Tckut29xYfcZbaWVF0eaVIWhOqk0Uyzzdt1zvDFpxvGr1lSpP2i8zPgGC227Bt8j1N2cx63LYU+y5ISptJaCiQnjUAhSFKDW2jnFZL3MhRUcv8tau13m3Syxob1thOPOKsznZ3FKlNTHE9lHcOitVaEnzQobaDmyc/wCUWQ26I7cl267wLllMnDGGp1t9YSu9WlUhDkdTbjK+ENdk4UOKARooFJ88ahM7DeMfzSzRJ9vt8hVoQuNItzdytkiAD2QbkRXmGZbTRKU+YptaBoCNh1FBylYtjSpUGcbFD9ctkl6Zb5QbAWzIkPiU86kj5S30hwn8IcW+iNPO5bYHckXhEzF4UgZBKjTb1xhesiRDmruMd1RCgQpuU4t4aaeco9elCpMHl3i1uyBGVNw5UnI2Xi81eZs6XMfQCy+wllKn3V8LKESnuBseakrUQNdtFq1TvKXBnZUaeLWtm5R7nNuzl0bc0kyJFwmNTpAkukFTrZeYbKUKOiQlIToBQaJPJHH2DkjMHIb5AtGWRXod6sTa4a46mnH5chAaW7FW80GVzXAgIcACQlJBA2ht4fKbGrbd13a3PS4XaZr/AL6XAbLfYJuCrc5bnGW08AKGVh1TpAOvaE6Hh2UGy5cYK1y6xtjGY86NcIkMIREks21i3OqQ22lsKlFhSg+6QnznSAT1URPaFRRaigk2KfvJ79nV9ZNBYVBH8l/dyf7ZHkNBA6AO40Dg3CgKBmRHjy2XI0uO1LjPJ4Xoz6EuNrT1KQsFJHjFBpLjiGI3gW5N3xOy3UWjQWgTLfGf9UCVBQEftG1dlooAjg027aB5eNY8tUBSrFbiq1nW2H1Voern1hEvVrRPmfn2kO+b8tIVvGtBpYvLvBIE6ZcoWIWqJOnzW7jMfZjpQHJjT4lIkFA0QHA8A5xAa8XnHbQbY43YC725tEbtjeEZAXQkgm6NtBlEw6Ha4G0hOp6BQaW0cvMSsLd9YtMCTEh5ImaLtbTcJzsRRuLrj0tTUZ19bTKnXHVqUWkpOqjQJh8usRgW5Fph25yPb27naruhhMh06S7I1FYgq4lKJ0bbhMpKddFcPnakmgjcvkvirysXftt0v2OXDDo9vi4/dLXNQl9pFsjzYkYq7dl5C1Bm4PoUVJ2gj8EURvLTy3sVmvcTIo0u4vXeNd7henpbzyFesyLpDYhSkvhLaQW1JjNuBI00cTxeChVm38ucfgItMdReuEO02682wQZnZuNSI99ltzJSXk8A4tFthKRu4SQdd9Fat7lhHfzCwZIbozGtGJQJcDGMah22NHMdqbFMR5l6akl16NoouJYKQkOcKiTwpADQv8n5P2Xylx6Ff4EazcrmbUhi4m1f50V2stA+oTkSUpholttBmQjs1hTZUnp2BwrpyYkSZ2LXBmXZbsvG8nyfIhAvcKQ5HWcjl+tJSj1d9tSHI2miVkkK38IoIpA7tr1vuTd2RlaHXkzY92XA9XWiKLoq5ql3CclPGo9pIiNx423d2ZV8vYSq4eWmLXPDsXh4/c40Nly2sx47b0K4zrgh8Mx22VOn19CVM8RRqGkEoHRRVgdVAe5QYolBoDvG2gwU9XvUKkkEUVigKDOtEoKCTYoP8xeP/wBur6yaCwaK018jqkw0tpUEntUqJPgBoIwm0J+W+T81IHl1oOQm1xBvSpZ8Kj8WlA/9nxP6r4T/AC0CTbIh+QofSNEJNsjfgq/KotSDbI2vyx7v/CgSbXH6FuD3R/JQJ+ymuh5fvCgSbS2f6ZQ+iP5aIQbOOh8/k/8AGhUg2k/1/wDN/wCNFJNpX0Pp90GgSbU90Oo+GgT9mP8A4SD7p/kolGPsuT0FHv8A/CgSbbKHQk/SotSDAlD5AP0hQJ9Slf1Xwj+Wgx6nJ/qVH3qFCDDf6WFjwgUQ2qJIG5pZPzTQqbLD43sLH0TRSS270tqH0TQY4Vg+ioHwigwdemiUJIQfB4aBJT1HWhUnwUUUEmxT94u/s6vrJoLCoOFcP0H0h8dBpKAoHKAoCgNB0igTw9RojBBFFYoCgKJRjhHioE8J8dCrFFFAUBoD0URjh6qFSNCKKKAoM60SjGg8VAkg+OhUnQbiKKSUoO9CT7goMdm3/Vp/JFBgtMne0g9fmiiUIMWMf6FH5IoNpZo7TUpakNpQS0Rqnxii1Seg4Vw/QfSHx0GkoCg5FCjGgoElJFCrFAUBQY0B6KIxw9W2hUnTSiigKA37xRKMcI6KBJBFCrFFFAUKAp6xpRCSnqoVJoooCgPcolGOEdGygSQRQqxRRQbS1f3hf9mfKKCQUHCuH6D6Q+Og0lAUHIoCgKA376DHD1UQkgiisUBQFCjGgPgojHCfHRak0BQFAHTQk6AAalR2AAbyTRHV3mb3nMYxFcm1YlHRl98Z1Q7KCym3MLB0IU4nzniOpvZ+NXVj0t122dkNd2WIdMcs7xnOC/vvLTlr1giubEW+zoTEbQOoLAU6fGV1126fHbG5qnJdKt2Od3OCyyPWLfzJv6XAfRfmLkoPjbkdok+9WU4bJ6ITjnrdr+UPfWjTJMfH+cDMe1uO8LcbNoTZRHKt3/Ox08XZ6n5bfmjpSkba5cukptt9Tbbl63f+NKjTY0ebCkszYUttLsSZHWl1p1tQ1StC0EpUD0EGuKYo2nSAfBQY4T46FSaKKAoUGw7xRKMcPVQq2NqBEhf9mfKKKkFBwrh+g+kPjoNJQFBzBuoMcI8VEJ4T46KxQFAUBsO+iElPUaKxoR0UGKAoCiUY4R16UHFmSo1viyZ06Q3EhQ21PSpTqglDbaBqpSidwAqxFdkFXn/zn553HMVysexh522YkklD7ydW37iNxLm4paPQjp3q6h6GDTxbtne0X5K7nVCUNOLxbK62uXGteM3vKJZh2WEqUtGnbvnzWWgelxw7B4t/UKxmYjekRVdFk5G4/CSh/IpDl9lg6qjIKmYo8Gg0Wv3SPFWmckzuZ8KXnAMHbQUJxG08GmhCoyFHTxqBNY8U9aUT7AMif5ZqREx9gM47xKU/jIWoRPOOqlsoOoZWetAAPyga132Rfv3srb5tdyMcyO15Ta2braneNlfmvsK2OMuAec24Ogj3jvFcd1s2zSXRE1b6sVFEoxwjroE6GisUBQbK1/p1/MPlFBvqDhXD9B9IfHQaSgKDmDcKAoCgN++iUY4RQJIIorFAUBQY0B8FEY4T0baFSdNKKKDoxz15pryiU9itikEY1bndJkhB/v0hs79m9tB9H8I+d1V6OmwcPxTvaL767HViXoQfdrqaZbDE8GmZfLUtSlQ7RFUBMnaaknf2bQO9RG87h09VYX38KxFXZO3WiBZYTFstURMWK1oG2kDVS1HZxKO9Sj1nbXPWZ2y2Qn9r5b5Hdgh11tu1R3NqVyiQvTwNJBUPd0rCb4hlFsy20rkvdexUqHe4sh8eiy42toKPVx6r090Vj82EmyVGzGVx5EuG+ns5MJ5yPLZO9t1s8KknwgitkTE7muYomnK7KlYzkrbTqlrtl60izGEkbHCfzLg12ahR08RrXnittepnimeKI63aFzKACQ3BJ6ipenwAV5k5/Q9ONL6XCXlEzXzIzKPHxH4xWPz5bI0tvXJk5PcRubY8XCr/AOKp8+5lGks9Jactlp9OKyseAqT8ZqxnnqYzo7etzEZdHJ/PQXED8JCgr4CBWUaiOmGE6KeiW2jXy1SjwolpaX+A8OA++dnw1sty2z0tF2DJbvj1JPa/06jvBbOh6DtFbGpvqDhXD9B9IfHQaSgDuNBsOgUGCkdFAkpPjolWKKKAoDQGgTw9VBjQigxQFAUSiheeWdqsFnGNWp8t3i9tH111CtFx4Z2HxKd2pHg18FdOnxcU1ndDXkupsdEJg04hpoBu8Vela0QRj+NSsouiILOrUVv85cJYGxprXo6OJW5IrDJfFq0q7P2myIaRDslkh8LbY7ONGR0DpUo/CpRrk4qzWWcL3xrEbfY20yXUpl3MjVctQ1DfgaB3ePfWN0sohLFzmGtAnV1fUN3v1ouviG22yZMKmynASk9mgbwnoHhNaLr5lvtsiN7pvznQcd5gRrkkcEHJIjTs0dCnW1Flbh8I0STW3BkmGrPYiy1LaPaNq0cbIW2odBSdQa7t7imXbaG/63ChyztMlht06da0hR8teBdFJmH0OO6sRPWfUN2ysWZk0WDRFGRo1Amip3gLz32rIYLqyyIqlBoqPCCFpGoHu1v087XHrLY4Yn0rcrree4Vw/QfSHx0GkoA7jQbAbhQFAUBvoMFI6KIToaKxQFAUGNAfBRGOE+OitfdLlEs1unXWevsodvZW/IUfwUDXQeEnYPDViKzSEmaPOvKr3MyS83K9zie3uDynOz11DaNyG0+BCdAK9Sy3hijmmaygEhp191thhBdeeWG2W071KUdAB4zWbF2IxfG28etjNvaSHZ0ghc51A1LjyvkjrCfRH/GubJdxTVsiKL8x+0MWCKVO6O3SUAZKh8gbw2D0AdPWa0zdRnbZMtyp9170z5o3IG6tF10y6ItiCQOmtcs4eXffB5+Zq1zbxHl9yjv0y1XnC5KEyJFuc0VKvdy4WkRHEEFDiG21JSUrBTxLVqNlfM8z1t/z4x45229XXPQ/XvJXlzTTy/JqdbZE25I2V6Mdm3ijpiZnpjoiOt2P58Q75Gxzlm1lUyPcsqZtzzGR3GI0GWHpiW4/brabGxKC5roBX0mni6Lfi39Pa/J9fdiuy3ThiYsmZ4YnbMW12VnrohNvcMi1QHidS5GbKid+oGh+EV6dk1iHkX7Jds8YUpWN2JSt5gMfAgCvFz+O7te5gn/Dt7G7O6tLeYIosE1GRsga7qoaKSOmoqa4D++ZH7Iv66K36fxOXWeCO1cFdbzXCuH6D6Q+Og0lAUGz6BsoDhHRQJIIoVYoCgKA0BohPD1UVjQigxQFB1/575EY9vgYxHd0XcD63ckj+pbOjST85YJ+jXVprNvE1ZJ6HUKYNOLTw13NKVcvbCJM1++yW9WoJLUEEbC8oecr6APvnwVryXdC2w7DY5C1fVcXE7GTpF1/D6VDxdFc191G6y2u1OE79u3XfWiW+1yhWtkr/mxzBg8reXeTZxNCXF2mKU2qKSAZE549nFaAO/VxQKvxQTXJrdTGnxXZJ6N3b0PV5Jyy7mWsx6e38U7Z6rY23T6vbR5q9ynl3cOZHN6+c3csLlzYw11c716QniEu/wBwKylZJ2EspK3dm5RRXzXJsM5ss5bttPbdL9Z8+cys0Ggs0WH4fmRSkfhx2/fst7Ku4HeXmhd1xm3BWpiwX5DieovOhI+BuvrsT8Ry71cWPVNht2vRH198k16GPww8/JvdxbKz6vZLMzu7ODHT7vZp1rxMs1vnte7iilkdkNnoCK1tsGlo27KKZIIoyqQqimz11FTTAv3zJ/ZFfXRW7T+Jy6zwR2rersea4Vw/QfSHx0GkoCg2g3CgKAoDQGgTw9VEY0NFYoCgKDGg8VBjhNB0W5h3k37KbzcEuFyP25YhHqZZ8xGnj0J92vSxW8NsQ5r5rKrZKFurS02njcdUENp61KOgHv1uYuwVntAtlut1pYSONtKUOEfKdUdVq91RNck3VmrOIWtGjtx2W2EDzWkhIPWek+6a1S6YikOagbfDWuWUTRyUgnYKwllV5Yd9/mW5lGX2jlbY1mXCxJxLl1ZaGpevMoBCGRt2lptQTp+EtQ6K+M5/q/m5Yw27rd/5p+77X7R9POUfy2mu1mTZOTd6MdvT+qdvZEPQDkHyxa5R8rcbw9baE3hLZn5S82eIOXOVop/zukI0S2nwJFfQ6HS/y2G2zp3z2vzfzDzaeaa7Jn/Dus/JG717+91q55XZN2zy9Fra1bEt29sjpLCfP/nqVXpWRSHzl81ucmzW9x9NntSB+dfEeNp1FXCk+Wu7ZbbWeiHJw8V1OuXcUtpbbQ2gaIaAQ34kjQfAK8De94gdVGUBW6opg7KLBpQ6KjI2R0UEzwMaXiR+yK+uit+n8Tl1ngjtW7XW85wrh+g+kPjoNJQFBt9BpQY4erbQJ0oCgKAoMaCgxwno20Qmiig0OU3P7Hxy9XIHz4sRzsf7RY4EfzlCsrIrdEJM0h0LmjeDt06a9OHKexC2CfkLDi08TNvSqS5ru4hsR/OIPuVMl1LViNrsDZY/aTFPKGqYydQfxlbB8Gtcsy22RtS4bz4awlvPN793VWEiFczM7h8tMFyLMpYQ65aYxFsiLUE+sTHfMjtDXfqsgn8UGuDX6qNLhuyT0bvTPQ9bknK7uZazHp7fxTtnqtjbdPq9rzW7qWAS+Z/OOZneTFdyg4c6b7dJL6eNMu7yVqMZKirYSlfE8R+KK+Q5Hp51OonJfti3bPpund979g87cyt5by6NNh+GcnwREfhxx4vZS3vesN6u7Nhsl0vMhQCLdHW+OL5SwPMT4eJRAr7alZo/D60irztcRIvN6bXKV2z82UqRMcO3UlXaOE+PbXVbbWYhy3TsmV8cvLcLhlMZ1aNWrchctZ6ApPmt6/SVr7lZ6y/hxz6dhpLOLJHo2uyB2jSvGewa4R/xoEFOyoyMqSfH4aLBhVRkbV10E0wP97v/ALKv66K34PE5NX4Y7Vt11vPcK4foPpD46DSUBQbgbhQFAUGNB4qBPCfHQYoCgKAoMEA+CiKw5uylRsOdZSdDPlsMnwpSS4fqVuwR8TG/c6dTflV3Q55TjAIgRCuM4jzpLyWUfNaGp+FVa8s7oZWrlsjXDEU5ptecPvJ2D4655brNzq1zT52ZFYM5VFxSYybZYG/VZ8V1AdYlyCQp7j3EcB8wFJBGh66/OudeZ8+HWzbgujhs2TG+Lrun1btnpfrnlvybptTy7j1Vs8eT4omJpdbb+Gnb4prG3Yn2Dd5DB8lWxb8hcGHXpw8ITLXxQXFdHBK0ATr1OBPjNe3y7zTptVS3J/h3enw9133vn+ceRNboq34f8Wz0eOO23p/TXsdW++PzIRkGQ27ALRK9YtWLgSrr2WikPXJ9HmJSRrxBppQA0+UpVeP5l1/zc0YbJrFu/wDNP3R732f085LOm092ryRS/Jstr0WR7uK72RDub3e+Wg5W8sLJZZTHY5Bdv82ykk6kTJKU/mteplsJb8YPXX03KtH/ACunttnxTtntn7tz888084/1PX35LZrZb8Nn5Y6f1TWWu54ZGExomLRXTqspmXUDqH6Fs+7qojxV6uO3pfNZZ6IUBj8Lz5NwWN35lg/Co+QV1Yo6XLknodn+WNn9Tssi6OJ4Xbs5q3qP6FrVKffUSa4tbkrdTqd2ispbXrWORp01wu00rYeqik1GUGzQMqAOwioygwpNFTHBBpeH/wBlX9dFb8Hicmr8Mdq2663nuFcP0H0h8dBpKAoNyBsHioMaUBQFAUBv30CSnqoMaGgaceaa/SOJT4NdvvVJmIWLZlrXrmBsZQSfw1bB71YTf1NluLrUvzbdddtFtU4sr1mHXXdsbVuFb9JNb57GGpiItinW60TflV6TiWxiUYMY5A02Kf43lfTWdPgArnyT8TOFn25s/ZjKUrLSloUQ4nTiSVE6KGoI1G/aK03RWrfjmlNlXTDmHyAyy3iVdMefOWRFKU6+wlPBcAVElSi3tDu3aSg6/i1+Xcy8o6nBM34p+bG+f7/q6e71P2rknnvR6iIxZ4+Tduj/AOP0bd9vfs9LqBd2nGXH477SmX2VFD7DiSlaFDelSVaEEdRr5u2Jtmk74foOO6Loi6JrE7pWT3beXCOYHNGDIuDAex/DQm8XVtaSpt1xC9IjB6POcHEQfkoNfSeX9F/M6mJnw2bZ+yPX7nzHnXnH+n6C62yaZMvwW9cR+K7ujZ2zD1Wv95jWG2SrrLPGGh+Za18511XooHjO/wAFfpNJmX4DWkOlt8kTb3cpEuQvtptxeK3VDdqrqHQEjd4K3xHRDRM9MpNY7EudMt9jig/nl + hC3ANyBtccPiGprfddGO2vU02Wzkuo7WMRmYkdiJHRwR4zaWmUdSUDQfAK8WZmZrL2oikUhjrrBmbPhopJT4aLBtSSCeqoplW+osGVD4aMkvwX98P8A7Kv66K34PE5NX4Y7Vs11vPcK4foPpD46DRkhIKlHQDaSaDUu3IkkMoASPlq3n3K1ze3Ri60m7ZwJTt6B0VeKWPDAEhzwH3KcRwQwZCh8kfDSLjgJMlY/owfdNOM4CDMV/Vge6anGcBJmuD5CfhpxysY4kwua/wBHCnxD+Wpxyy+XDiqkPr9J1WnUDoPgqcUs4tiDBAPR7tYqaWjcQaCsOacdS8ejP6bI0xBV4loUny6V1aSfj7mjUx8Pe6xzek16bgXRYtBYbQB/9I35K5rt7OFhWtQVAj/igpPuE1rlut3NknbpUlmgGdcqMG5isOIyOyoVPKChi+RfzE1rXcQ6kefp1LCh4K8vX8p02tiuS34v70bLvX099Xt8p8w63lc/4F/w/wB2dtk93R2xSXB5V8sbDyZxu62+LcVzvXZq59yvMlCW3FpA4GWylBI0bRsGm8knTbpWvlnLLNBjmy2azM1mfd6m7zB5gy84zW5ckRbFttItiaxHXPfPspCEZtkj+QSiRxNW+LqmFGPh3uKH4SvgGyvWtto+cuuqhEWJ2fFJcH5xWxsH5KT0+7W+y3pab7uhfHLvHvU4a71Kb4ZVwSBESobUMb+L6Z2+LSuHV5eKeGN0O3SYuGOKd8rJI2Vxu0wpBB16KkwsSZI26VFJ6KLBKt1RkYIG3WgaUmoyS3B06Xh/9lV9dFb8Hicur8Mdq1663nuFcP0H0h8dBELg6djSTs3r+IVrvnobsVvS09a21Nx6I8Q8lbGkiorB20UipIbV7+lA2RrUWDaknfvozMEaVBigwoagigjWUWxd4x+6QGhq86yVxx1uNkLSPdI0rZiv4b4lhkt4rZh01mqb4+zK0h0jUNagL0G88O+vaeYuDGXQ/jtrUk6lDXZK8bain4q5skUuZxuTmxyAUOxVHz0HtEDrSd/vGtcttk9CRJ6KxlsgzLnxoKCt5fnAea0nao+5/LUpMk3RCq8lvUq6Hs1fmojZ1ajJ3a/hK6zWcW0apuqrx1gKVxLG47E/y1lbZXbLCb6bEpxDGF3+cXpKCLXCUFSVbu0VvDQPh+V4PHWOozcEUjfLZgw/Mur0Qv7hSkBKUhKUjRKQNAAOgCvJesQagQsbPFUlYNEA76imSnhOnvUCdKjMwobaBFRmlmEj/Nn/ANlV9dFb8Hicur8Mdq1K63nODcDpH1/GHx0FXWq7G9s3ORwtBdvuk+3vIZVx8IiSXGEFe/hUpKQog9daJdNm5zDvqMk9SAUo1HyR5K2tJpSOo+OsZU2UkUlTdQIVQNEabKisUZwbIB3ioQaKduygRu30EE5g51aOXWPSb/dSXVg9la7ahQS7LkEapbRruA3qV8kbeqs7LJvmkMb74tisvJnLMmut+yGfk0l0RblLkKkI9V1bQxqokIZGuqUp12V6O6jz52y7X8gM9VlVjulmnlIvNjdS66obA8w/sDgHWFJIVp0nw0umovlMh2K82+yeFxvcTuPWD4DSBvRf4zqNHVKiufLTtKfcI+OkwtZR6fcImiuF3tCfwQTUiEQ2W/2hPCOFPh31nFpU5Y8el5BK7JoFqI2R63MI81A6h1qPQKwy5Yxx6Vw4ZyTToX3AgRLZEZgwmgzHYGiU9JJ3qUeknpNeXddN01l69lkWRSHJUBvqMjZHhrCQ2R0VAzWLI2sdNFIFRYJUKKYKdu+osSleFD/Nn/2VX10VvweJzavwx2rSrree1t1OkXxrA8tSVje6oYvgXJP/AMQ8iyu2w8Tkc4LffrtIvtztE1r7YbVKccCW7izHeStSxHcSkpfQeHZpuBrVLfbELuO81izT5Poo+aPJW1oglQqSyINRYMkbahBJTruoGVpI2ke7QN1GUSSrrqMjaqDrX3k+fkDkpi6Wbcpmbn+QtrRjFqc0WlhHornSEf1bZ2JB9NezcFabsWLjn0NWXJwx6Xk/I5w8wb/Ljv5jks7LW2OJLaLg4FqaS4riX2JAARqejTTo3V6FlsRGyHHN0zvSplRvpiJtLTk964rQ1DispK3XHVnhS2EDU8RJ00rG7YkRV6Ccse7rNwaww719pBrP5ae1vERw8UPslDVMHiTqQU/KcGoKujQCueNTETMU2On+XrG/asiXGlxSlEyK5EdUNra9D49FDUK8YNb7Lou3S57rJt3tM/8AKrNGud2DXoG80Els2FS7p2cm4FUKCrzgnTR5wfig+iD1n3q58mpi3ZG2W/Hp5u2zshakWDFgx0RITKWGGRohtPX0knpJ6Sa4Lrpumsu62ItikHdDWNW2pJ2iqEHdWMhpQ6axWCDUlSFJ13VBx9x20WAd1RkZUKLCV4X+9X/2ZX10VuweJz6vwx2rPrrec1t1/uv0x8dSdyw6hR0RJ/Ok32VydxFqzIu0/H8Z5rssNf7mF9iRFqmOST6ukpivpS/GbWHivjb89PA4nTXLdbvTLldze5fc57Lech5c35N/tNhvk7HrnIDamiidAUEupCV6EoUFJWhW5SSCKxmGyJidzsOj0E/NHkrY54nayd3iozNncaxDSug1FJpIwR00DBAPRtqSsG1DoqM1Rc5+b+NclcMlZVkBEqW8VRscsCFcL1xm8PElpJ0JShO9xemiU+EgHOyyb5owvv4Yq8J8yzbIuYmVXfMsqmmdery72j6hsbaQnY2wyjchttOiUgeUk16NtsWxSHDdMzNZapno+GtkMXf3uK46bhlWV5DNsypUGxQmkWi8uA9lGuDy9Fob180uKZJOu9I+dXNqppEQ6NPG2r00ecbZacedcS000CpxxZCUpA3kk7BXC7VR5Pm7Utt23WllDjJ81dwdSDr0Hskq3fOPuVYmY2wTbE70FiC63J9ESG2ZT69yEpGun4SjuAHSTWz59/W1fIs6ls2LDY9uLcu5rE+4J2pQdrLR/FT8ojrPuVrvyXXb5bLMdtu6EzVvB9+tbYaVv8FQIIG6sZZQbIG6lVIKf/dVqGVA6bt1YkGqSyFYqaUNpHv0Qk6bemozMqTs2UEowwf5o/8Asyvrprdg8Tn1c/D3rOrree1t1/uv0x8dSVh1lS1zJh5C9YJ3L6MrD5ORXK7WvPLfeWHSmO+JL6BNtz7Ud5txS3ezHYqeGuhJSNdNUt1taui/cKyHN8by7MuUec8hr7ylnuY3ZZ7N1lRVx7fOcx6O1aX5BKmW0KkTA6h1RQpXoniJ30uLN9HsANiU/NHkrNqZozggp6qxlTJG8HZRTdAHdUDKh79RUQzvN8a5cYpec0y6eLdYrIz2slzYXHVnY2wwgkcbrqtEoT0nwamrbbN00hZuiIeCHOjnLkXPDOJWWXvWFbmAY2MY+lfE1b4QOobB3FxZ85xXylfihIHdZZFsUhxXXcU1VszvHircwW/yj5X5DzczCDiWPI7ILAfvN3WkqZgQ0nRb7un5KE/KUQOsiX3xZbWWVls3TSHtZYrPhnJzEbXilkY9Wt9uaPq0UaKlS3VbXJDx2arcVtUo7OgbABXmXXTdNZd9tsWxSFcX/JrlfnD6wvsIaTqzBbPmJ8KjvUfCfcrFT+P4lcL4pLygYdu186YsbVjqbSfS8e6qzXXa7RAs0cR4DAaSQO1dO1xwjpWrefJUkbIjUaVipkp13bKKYUNfcqBo7/BUuWCVViyJoMEa0HGUBqalWRulAhQqKb108VRYJNFSfDhpdH/2ZX101uweJzarwx2rLrrcDXXT+6/THx1JWN7rnO5b2bF83j8w8blXmz3LJbm6nL7Mi5THrTd/WYzv5xdvfdcjtPIcbQtDjCEK2FJ4kqIrXc3W73TDui86+dneI5r5jnmYZDZLLy2s2MNs2DlLYX1yBClz7i+wl65LUlK/XGhbXQtLm1KXE8CEgmpMUhbJmZerIHmI8CR5KzaWKMrRUZEK66kLBtSRvpAbIqDXXS4W6z26feLtMat1qtcdyXcrhIVwNMMMpK3HFqO4JSNTSIqTNHg33oO8hcefGWep2lx6Dy1xp5acXtS/NVKdGqFXGSn8Nwfo0n0EbPSKq7MWPhj0ufJdV1uY3DxitrUm2I4xfczyC14vjNvXdL5eHQzBho0Gp0JUtajsQhCQVKUdgAJrKZiIrJETM0h7Hcs8bxzkZhLOJYkpm75JN4X8ty/g82TL00Ia4tpba9FsHYB521RNedkvm+Xdjs4IPLM25y9SXZ06WvwrcWo1rZrSx3l+hjgm30JeeG1u2g6oT4XD8o+AbPHRVjlHCAEpASBoEjYAB0AVVgmoorGSDZ30ZGFbzQII1G3bpUkNlOuu3xVgyIKSP5aKTQMuDbrUllBg76sBJGooGyNaxmGUQQRuqKk+IfvR79mV9ZNb8G9zarw96yq6nA11zGsb6Y+OpJDp0uJychc9304yzf73zPR61eMwttpuVykY/aHnYjiRcbvFXI+zmJTiT2TaUI7f85xdmEnjGu5uspVCOQ3Lqy3bJbV3q8RSjD08+MKYk80+X1vdLtrk3xxbMiNcWzoAH2kl9t0kAq4+LQK4+LGepnbHS7+j0EeFI8lbGg3QgUbGCNdlYhBqLJs6AEkhISCVKJ0AA3kk0Hir30+9KnmTdXuVXL+5dry+scj/APY7xHUeC9T2VeghXyozCh5vQ4vztqQnXox2U2tN91XQtlI10rohrubuGw8+6zHjsrkyH1pbYYbSVrcWs6JSlI2kknQAVWL1H5CcpDyysb9xuyUqzHIWEouq07fVIxIWIaFDftALhG9QA3JFcmbJxTSNzrxY+GK9LsvY8buV/dKIjfZxkHR+a5sbR4Pxj4BWhtXfYsattgY4YqC7LcGj85wDtFeAfgjwCoN1RTZqqSUg0U3wkVjIbUDUUysbjRTVQJrGWUCopop39dA0tOo8IosOMoEUhSaBvrqSyqRtFYqk+IfvR79nV9ZNbsHic2q8PesiutwNfcv7t9MfHUkh1wOJ3vEuYc2647FVccL5g+vu5HaklCFWe+SGkOOXNsrUC4xO9VbbdbTtbe0dHmuOcOu5usja6sd0LugNcgjZs+TlGTW+9ZViLcTPuVlzkNv22Len3GX35LHYlKUqbU2pABC9ijovTfJllZbR6dJALaNnyR5K2bmk2pGh2HZUCCCN9GcMGpKkHfWKvKTv5976LjUi5933BLuYeQymW2+Y1/bKkGJHkNhxNtYcGmjjzakl1WvmoVwDapXDtxxHS13T0PKCOAAkJ04QBwgbtOjSuhqbhkgHU7ANpJrOEl6K92Tkj9lRoPMjK4SvtiYkLxK0up2xmVjzZa0Ea9q4D+bHyU7d6tnNmydEN+Gzpl6M47y/ckhE2/JUywdrVuB4XF67QXCNqR4N/irnb1ssRmIzTceM0mPHaGjbLYASkeACoFEEbxqKBlW/ZQNK3+CqpNGTB8lSdwZOw6VisEKSFCiuOU+GoEGpKwxWLIhQ269dA0aBlQ3isWRrQUqptSduo20qu4hW/dRUmxEf5m7+zq+smt2De5tV4e9Y9dTgcC5f3f6Q+OpJCJPbj461y32NUusGxZCRolHhSPJW7fDmJV8VQNUW1gjZrUZmiKkEPDH2m3dsu9pyxfeKxa3uTMZyJqPE5jIZSVG33BhCWGJzgG5mQ2lDalbkuJGvpirEtd0PMrEr85Hks2yW5xxXyERlq2ltZ3J16ju8FbrLuhhMPS7und3W4cyLszm18tKpGLWx4Gzw306Mz5LZ/SOlWzsGiNuo89XmjUBVXJkpFI3srLa73s1j2HW+wpQ+sJm3LQaylJ81vwNJ+Tp17/FXK6ISpQ8O+jI2agxQNrSCNdN1AwpOyqsGiNKLDG+oppXXWMkEUZGVDQ6UDR2GpJDGgrBkSpJ02baKYI03igaUOmpLKDJ2GopNRkwRs8VBI8TH+ZO/s6vrJrfg3ubVeHvWLXU4HAuX93+mPjqSIo70+CtcttrUub6wluWQP0aPmjyVuhzMEa+OoGTvoMUZkHfWMq40uJEnxJMGfFZnQZrS2JkKQ2l1l5pwFK23G1gpUlQOhBGhoTDzlzH2YfIPIs2hZTYLlfMGs4mIl3nCba427AkBLgcU3HW8C7FSvakhCiEj0AmrVjwPQSy2G0Y1a4VjsFtYtNotrKI8GBHTwobbbHClI6ToBvNYs2yO6pKmj10ZmiKgTQYI1GnXQMEdFFN1VJ0FFNqSaxkMkEb6iwbWNxophVSRgVjLKGaimiNdQaBlaBpv3dFFhx1J0rFkQASRoCT1VFgssPaallYHXwmitviUqKby9FTLYVKEVSjFDiC6EhaAVFAPFptG3St+De5tV4e9ZddTga+5f3cfPFSRFnumtcttu5qXBtNYNyyUfo0fNHkra5ifBVkNKFQIoyglQqSyJqKSagQqgZIqKQU6jZRlBlSSN9RTdAUDKhoaBojQ0VlLbivRQpXiBNVZmDTykMJJfcQwlO0qcUEAePiIrG6dixEzu2oReOZPLewpUb5zCxm08HpJl3eE0ofRU6D8Fabs2O3fdHrd2Dlmrzfw8N93ZbdP2KuuXep7t1tUpqVzmxtTiPSTGfclbvDHbcHw1qnXYI/HD1cflLm+Tdpr++Ke+YVRkXf/AO61jzjkc5zPvT7YB7O1Wac8DqNRot1tlHw1vxXxlt4rNsPH5ho8vL804NRbw3xETMb98VjdWFU3D2oHIWKtaLdimb3ZKfRd9ThRgr3HJhI90Vs+XLi+fbCu7x7VjF2+JOPcl7vLO3s3Lnd40YHxpYYfPw0+VPWn8xHUq+4e1W5gvOuC08o8XiIG5Mq4TZKx87swwPgq/K9LGdR6EDm+0l7y1/ktwcds+KWuVLVwRYsC0PzX1KI10QH5DvEQBr6NX5UJOou9Csr335O9r69KgzuY79knMKKZNvj2i3RltKA4iCgxSobNu3oq/LtYznv60Ku3eA70uRtTXbpzczIx4qYypQbuC4KOCY6lllSExuxCgpagPN106asWW9STmv61Q37K8/XcbjBv2aZBOnQpL0Wd6xdpj/51ham3BxKdII4knbWURHUwm6Z6XoZ7KJS3e8ZmTrzinnVYDN1dcUVKP+ZW/eSSazYvoUoKb5385MJ5HYnbsu5gPy4eOzrzGtDk+HHMkx3ZLbq0OONoPGWx2R14ApW7RJrRqNRZgt4r91aPV5PybUc1yzh08RN8WzdSZpWlIpE7q7emkelxMH5l8vuaNqF75eZha8utpH5xdvfC3Wjprwvx1cLzSh1LQDWOPNZlitkxLHW8t1Wgv+XqMd1k+mNk9k7p7pSJ3easudY6PQb+aPJW1ysK31ehTahrUDVFgEE7hrRkSUqSCpQKUjaVHYB7prFYlpJ+RY7bG1O3LILXbmkem5KmMMpHjK1gCsJvtjfMetvx6fLkmltl09kTKsb13h+Q2P8AGLvzjw+KtHpNJu0Z5f5DK1n4K03avDbvvj1vUweXOZ5vBpsk/pmPfEK0n99vutweIK5sw5ZRvEODcZGviKIxB9+tM8y08fi9kvSx+RudX/8A15jtutj/AKlcXf2i/dut3GmDJyfIFJ9H1K0KaSr6Ut1jyVpu5tgjdWe56eD6b83v8UY7e2//ALYlXE/2nvLFsrFu5YZXNA/RqfkQI4V49HHSK1TznH0Wz7HqY/pbrJ8WfHHZF0/ZCubx7UOariGP8l47f4DlzvS1++hiKj61abudT0We16OH6V2/5mpn9Nn33K5ne0x5zPFfqGD4bbwf0fG3PkFPuqlIB96tU84y9ER7XpY/pfy+PFlyz+zH2K4vHtA+8zdOIR8isliQrcLfZo2o8SpPbmtN3NM89MR3PSw/Tvk+PfZfd23z9lFdTu+B3mp/H2vOS+MheuqYqYsYDXq7FhGnuVqnX55/HL0cfk3k9m7TWz21n3yri8c5+cGQ8YvfNTLbklfpodvMzgP0EuhPwVpu1GS7fdPrenh5JoMPgwY4/Rb9yAyLlcphUZlzmTCvasvyHXST4eNR1rVWZehbist8NsR2REOAGmwdQ2kHr0FRsrJdVEDv37yd+Yj6tfWcp/p47Z97+cfqL/veX8tn7sGrI3GevdkZmhBgvXGI3NDh4Udip9Ac41bNE8JOp6q9F8OuqS5y6RjnMZEdUZUlcy7MY2++zbWFp7IwlRAiK0XZO0oeQ0406GwCVOhWpTVGJWeYJIs8Cw3CyKvUS2WG0+rvyHCrsrn2VvjzkwW2m2OxAZEhR7Va0reCV67gYIpPyHFI1xkJtjDSmZ9guVon3e2QjDSl2Y+4uO8zGdUkkts8DLhPCVp4t585QbZHNVqyQ3rPh8GTZrO63DUuO2pLHHJZfiPSHj5z6x2wYcbA7Q8KHFJB4VKSaOCedF/t1qXarDJlWJclMcSbj9pPLkJLAhjsoykdj2LChBRq0Nd587dpBAZDd6ya63C6R7RLmyrzNfmONwozzyS7JdU6oICErJHEvZtNB6oey35e5/jvPDKsiyHBchx+wScIlxI16udrlw4rj658FxLSHX20JUopQpQAO4HqqwPeash5we1J/hnhffS1f4eZXkc7/p++Ptfov0v/AN2n/wAd3vtfPlYsgvuL3SLe8avM7H7zCVxxLrbpDkaQ2fxXGlJUPfr5Oy+6ya2zSX9BajTYtRZNmW2LrZ3xMVj1S768qvaPc58N9Ut3MCND5pWNo8LsmZ/yd3CDp6M1lJQsp/8AmtKJ6VV6mDm+WzZd8Ue1+f8ANvptoNTW7TzOK70bbP2Z+yY7HcyZ7VOwpZ0tfJe5vucI7MzLwwynd09nHdNd888jos9r5bH9J8v49TbHZZM++YVpd/ak8x3ysWLlXjVtSdezVOmTJpHjDYjA1pu53k6LY9r1MP0p0kfxM989kW2+/iV3cfaT94yYhaYcXELSVei4xa3nVJ8Xbylj3xWqecZ53Uju/telj+mXKbZ2zku7bo+y2FaXjvzd6S8hSV80HLWhXyLZbbfF08ShHUr4a0Xcz1E/i9kPTw+Q+S4v8iv5rrp+1Xk/vNd4i5oW1N515ettz00NXJ2OD/1HZ1qnW5533z63pY/K/Ksc1t02P9mJ99VZ3XNMzvqlKvmY368qX6Xr1zlyNfcddUK0XZLrt8zPe9TDodPh/h47Ley2I90IwtKXdroDh61+d5axdUTTcEpSnYlIT4hpUKlVUFAUBQFAUGCAaBJ0G3UAeGopLag6sNtEOuHc2jzle8NTVjaTs2yl9u5fZ/dwlVpwPJLmhfoLi2ia8lXiKGSDWcYr53Wz6pcWXmOlxePLZHbdbH2rQsvdW7x9/KPs7ktlKUOei7NiCAj8qYpnqrfboc926yfc8rP5s5Th8Wpx908X7tUld9nT3tb1PLyMAt9tYdSgdtOvlvQE6D5SWXXVe8K+n5dhvxYYtuik7X4J505jp+Yc0yZ9PdxWTFsRNJjdbETviJWVYvZP8/rglC77mmFY6lXptIfnT3UjxIjNIP5ddtHyq07N7IS8rWn/AHDz0hx2tnEi2WFbivDop6akfzatBcVi9knyZiJByLmTmd8c0871UwICCdnR6s+r+dSgtCx+zD7qlpWlc6zZJkpB14Lne5CUndsKYYjClBcFq7j/AHTrMhCIvI3HZHBp589D05R003qlOuk7qUFs2HkdyYxZLYxzlNh9lLOnZuxLLBacGmmnnpZ4ugdNUWWxGjRUJajR2ozSBohtpAQkAdACQBQP0BQdFvaH8uc35m93tVlwHG5eVXm2ZHAusm0wEhckxI7UlDi22tQpwpLifNQCo9A2V5nNsN+XBSyKzV9x9PuZafQcz49RfFls2TbWd1ZmN89G7fOx82Nxttxs8+Va7vAk2q5wXC1Ot0xpbD7Lid6HGnAlSSOoivjrrZtmkv6SxZbMtsX2TE2zumJrEuFUZrJT6CPmjyVtaSqIKKKIKAoG1OtJ9J1CfGoCovDLYQbdcbotLVqtsu6OqOiW4Ud2QonwBpKjWURM7mvJks + xxW+6I7ZiPesa2cjudV57P7L5Q5nNDunZqRY5wSddx4lMgfDW63S5bt1k+qXm5efcuxePUYo/Xb960rH3Ku9Dfyn1blJcLchen5y6yoUEDXTel6QlY3/g1vt5bqLvweujydR545Nh36iJ/LF13uiiy7V7OPvMT3EpmW/GrG2fSdl3cOae5GZeNbreT6id9I73mZfqVyeyPhm+7st/7pha1m9lpzHfCTf8Amnjds1HnIgQpc0jds1dMXyVvt5Hk6boeRn+q2kj+HgvntmLfdxLJtHsrLKhSVZBzmuElIPnNW20Mx9R4FvSH/q1ut5FHTf7HmZvqxkn+HprY7bpn3Rate1+zK7v8NtIud5zG9PD0luXGPHSfosRUae/XRbyXBG+ZnveTl+qPNLp+G3HbH5Zn33Ssux9wXut2UJ7Tl67fHE/0l1uk9/XxoD6Efza3W8q09v4a9sy8vP8AUHnWX/O4fy22x9lVqWzuw93i0JbRB5L4egN+ip21R31e6p5CyfdNb7dFgt3WR6nk5fNPNcvi1OT9qY9y0LRhmH4+EpsOKWeyJT6It8GPGA8XZIT11vtx227oiO55WbW5838TJdd2zM++UlrNzCgKAoCgKAoCgKAoCgKAoKX5td3rk9zvgKh8x8Ig3qTwhMa+tpMa5McO7sprPA8APwSopPSDXPn0mLPFL4r73scq5/ruV3cWmyTbHVvtnttnZ373k1zp9lZlNpMq8cjssaymDxLcTiF/UiJPbRvShmYkBh49Hnpa8ZrwdTyO6NuKa+ifv/5P1fkv1TxZIizXY+Gf71u23vt3x3cSm7J3A+9Ld22luYFDsaFJHnXS7wWyNnShl15Q96ua3lWon8NO+H0ef6hclx7ss3fltu+2IWXZ/Zl8/p6v81v+HWFHSVTJcpXuJaiAfzq3W8lzTvmI/wCOx5eb6ocrs8FmS7uiPfctiz+ysuy2wcg50RYznS3bbIt0flvS2/q1vt5FPTf7P7Xk5vqzZH8PTTPbfT3Wysiy+y05axilWQcz8nu+npIhMQoKT+W3JI9+t1vI8cb7pn1PMz/VbWXfw8GO3tm677bVq232cPdmgpSJNryK8KT6S5l5fSVeMRwyPeFdFvJ9PHRM97ycn1L5xfuust7LI+2qzrN3LO69YyhUbk/aJjiNzlyXJuBPjEp50fBW63lunt/BHveVn8785zb9RdHZS392IW1bOTfKOytoatPK7E7ehv0AxZoSCPdDOtdFunxW7rY9UPIy8612Wa358k9t933p9Dt8C3NBi3wo8FlOxLMdtLSR9FAArbERG559+S6+a3TMz6XLqsBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQFAUBQf/Z" + + EnforceTap = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMIAAAEsCAIAAAAeuvsgAAAQAElEQVR4AezdB7xlSVUv/qq99znnhg6TI0F45CwiGBBRUZ8PRUUlPERBRUzIX1B5AiZUFLMYQPApZonCU5QgGZSccxgm5843nLB31f97TvWcudN9b0/3TPfAyJzPr+uuWrVq1aqq31lVe58Rq7z1p+u6tm1Le9d1k8lECaPRqCgJKSXy3IwwHo9ZEtLso3VT8DNrn3ZnQKYB8i242a1AFbb42NGqquq6Lu1VVTVNowSa8Xis7Pf7JowxgDqowL7X67EkxNmHwUawYQwaeShlEXgG8i242a3AljTCgzIZ/JB1bDxgz9raGvaAVhq0sPeDwaDX6xFU2UNpYgO4MgcbJAN6mDOMfAtuviuwJY1MCSewAZ+wxMYD9iwtLQ2Hwz179miiwQNVxqjDHkvwCTSR6RFICVplONARaED3Aq0Emltwc1yBI9HIvuJQYYNtlpNwRUJaWFg4+eSTy2wxhs36+jqhWOpVuKILmyLjDT0DxhgG6AU0ygLGbJS34Ga3AkeikS23wbYWgUAVV2j279//oQ996DWvec2b3/zmCy64QDZCo0IU82dQyKEjJumFNECplQZwi1zAfo6iuaW82a3AljRCC5NBBYJDbXFxERVcjA4c2Pd7v/c7j3nMo3/+53/26U//P49+9CO/93sf/qQn/eSP/uiP/MIvPO2FL/zzN77xPz7zmU/t3bu7bcdVFdbXV8fjYUptjBloQvB05rlv5OEv5071xkGYt+ALvAKH0OjaaBBIRZ6QPAjyx7vf/e7nPe95D3zgA5/73OdecsklTjc3JCC/613vesc73vHSl770137t1x772Md+67d+60Me8pCHPexhj3jEI5785Cc//elP/4M/+IMXv/jFb3vb2z7xiU+wv/rqq3UHHC3+DUEAwi242a3AlEb2cmPcZS8dRpgEkpCT66/+6q9+5Vd+5bd/+7cxgMb1qJgVntE4s1zAl5eXt2/fTpC3Pv/5z3/wgx984xvf+MpXvhL/fvmXfxmlfuqnfuqpT33qM57xDMR6wQte8I//+I///M///OpXv/rtb3/75z73ub17966srMzjMQSqYbDwyIIhzEHDUskACKWJmapyXiVDqZZSlb2yVJUbZVWgAQIwBsIc86aNmsOV89b/roIpw5RGSDCfpI1xDbINNCiCDa973eue+cxn/s7v/M773vc+VfrrhY5sSuk6xT+SuZ5LXeedd9773/9+aen//t//+2d/9me/93u/9+xnP/tZz3oWYiHZE5/4xN/6rd/6/d//faz9l3/5l//6r//CxX379omKB+ESEIsrMk3xjPFkI5adNi6NkqaA8Rw8MNOqi5KByXJIZqNJFQg0wAAIQKmJB/aU7IFQwACK/KVWVmVFTNvFWWkhXIMssd36j//4jx/8wR989KMf/apXvWrXrl3o5WmfzdEjxmjd2dtvFyw5TKIqe0zW6np+4MABSeiKK644//zzP/7xj//DP/zDX/zFX2Dt//k//+cJT3jC937v9zoiH/zgB//Ij/wINv/1X//1f/7nf8pbF1988UUXXSRNyo482Foxg502I8Ebl2xoo9ADwa4TKDWBKlk8uE5moFUVCJooeWapCSg1mQt7rQVsoMhfgqVlgcq6lMlbHYLq7t27nUQSw0//9E+/9a1v3bZtW1k1p9XRrBen/CgLuLX6OhZQqhqFXlnkItgte0ZmU+RCCI+Bq6urb3rTm5yA8tbjH//47/7u7374wx+O4j/+4z/urHzOc57zwhe+0OEoyX30ox+98MILr7zyyquuukoaQ1OuxFNguI3QZETAOeGpKoslgV4A4tRlrmRT9IKcKxlDqX5plpZoeq6ZvEzjS/yWt7zFDfrnfu7n3vCGN1x55ZW+604ib4msJsHVh2WI6ciIVZ4bpNx2aQJtN1aqAmE8GdLk0BWwr+rQ9Kr+oOn1a0LdRBqtLNfWV1Q1LS0vLC4NGB9Y2XfJpRd95jOf+bd/+7eXvOQlzkcM+9mf/Vkn4//3//1/T3nKU371V38VvdzJkM+5/IEPfEACk3ERCw+mswihrmvzAsJ0Iaoqe3Tsph8soZc7WaIOlZKSGX2v16NXnZc6MgCaL0FMF87KIpDSgeLL7V7itdD6+vpkMjn33HNPP/1032wGO3bs2LXrqqNcI0tcYM8srtW3JYuzz2AwIPPDQAllD5Rk9qAL2e7aMyVLXQhstMJBgyYyoHTgyj14LxXhlsPRtd2To1u8y5bzUWb9sR/7sR/90R/99V//dfT6kz/5E/SSdD/5yU86UosHPsVpFKW5g4EQSKtggFDAsgiUYisgUyq/BFFZAtcUm4FGltXNwwnyZV/2ZfQ7duxwp5aQJCpHmwVleaxrNLjm5zZLbFeMwr+sYES7ZZS5Qwa2pyjJUJoIYHQlewb62uwCMoYJTIRA5sQop5xyyvLyMnsMM5y7lxuVI+9v//Zv//zP/xyTZNwf+qEf+p7v+Z6HPvShrl9PecpTfumXfulP//RP5bbXv/71ngPYX3bZZS5evkIGBZ5NQSTcFkFIglSdQ/VLClYAptnItMvSWC8XIBvvQm1dJCS7ctJJJ/le+q6zsXOMjxWG0RcIdt2Wlw1WpbQ3HNokIxKU9JRAABr6YlmqNEBOXUipFR7eiFb8emkSpy8AaOLZiCbFnhkB2xzTQK8Lhp133nkOR9nLIeg0/Jmf+Zmf/MmfdD6imkdI+czd6+Uvfzl6vfOd7/Tqy9UejYzFp9gKjAtF/lIrXYxSzl3T4NO09GbZS2cZpLxxLlWvnmmU9tJK5RQhhhpsZJFDrjYFA/oqNkBQBV26NqvWVQ/4oVEtgpIx0BSQmSk10TAGQghBPAKr6whinkO113P1qWjMom3HBBp6851MRkVj4pSwsNBnQMkYDhzYd/75533gA+/7j/943Ute8k/Pfe4fPutZv/KMZ/yCd/c//dM/9cQnPkH5zGc+/U/+5Ln//M8vf8973nXhhefroiPn5aX8jN8jA5WqsmgMMbehnIOyoGi4Yl/kjaUvRtu2hzA4XPOhh43kvqbl0L9sNsWhdkdXR6OjM/wSs8LOMmPJjOz7MxqNvBr1nOGmePnll3uG9VrVIeji9bjHPe7hD3/4t3/7tzsfvbv3bkICk72893dR8yLDi3tHuVzIT9k8m01GCNUykFGArAkkVENrJSvpC9zuZfTSxAMUg1LSw9wP/6UXD8AGdIGiP17lLTS6diXL6s/rpVpWXwllD5yDKGW3gA2lqusXel166aXel3oj72rvsRG9wPnocPTu/hd/8Re9Wf2bv/kbB+h73/telp4JnLzoZb9trZI3bsFwBSWeIiuNxYzABtWAUGwOKekRrijFCTSgCxT9jS+5hVtodJ2VtCIwV5FtmCrB0ssEBWSHiyZVzx9AwACEKFdy++ep1J55DJSQkMa73H/913/9+7//e+9T/KyEVejlvZd7/W/8xm/4achrfenNT5Of/vSn0QtXjMsDGJ1zMKK7Hec4h09QzBgUMwbMKIENmQa4UtLQF9AcR9zsaWQFN8XxWiOMKTvEoZ2wMbYBh2ynJjLq2E4aTSLZuXMnVmlS1Wrn9KLHM35UpR8no2PRW3jnnV8IPBt6yfKHf/iH3rZ46eXdfXmzKof97u/+bsle3ntJdU5Gac/DBFcCgDmleC4DaaIEMZDlznkTDX2B6RxHHBONjuO4X3Su7PQ8JjKUqr1BiAIaeiAUjVZV22NHPfeBncYqerulCnMCUTKmLxokQ0FVsN984iKWeMuAXl6++FVRivq1X/s1eeuRj3yki9c3f/M3e/uFXn4s+qd/+ifvir3hk73Ye7j2NM0h0ohNyb9SYPwbl38BUBaoHkfcQqNrF7Os9bxeqpYebAw9DcbYFTygBBrQ5EuPQEhQeENjC22YkpkqEIB9caKk5BnoMYlbKHqjsKRnowmYGeW97333a17zby94wfN/6Zee+aQn/eRP/MSP/czPPPlpT0Otp9L87u/+9ote9Jf//u+vfv/733vBBZ+/6qor9u3bs7a24oHRc58nQU+1Hk5h49PfdWUDHgNECLfQ6DpLZueuUw/BdtpCeotlI9ECOaSN+X5TamLmMuR9mFYa9jRA0IW9rIAfLFUZGEUTz2zIlGxKX63M6LXq4tVd6SvJyTeMKcvoWOXlsNekXqu6VL32ta/1av6P/uiP3OUdji5e3to/8YlP9Gb12c9+9ote9CL3My+9PApwxc9xRHUcfW3qymJZF02WxvXTEki81siqWTt6a6HJkhFUCb7WBCtltsx04YGemaqmAk50oQRrXczIczAo1wjbw5tI5k08cKjkWamvsoAZkBkrS5CMoeiV7PlkQKZnxg9LpSpl0agSGBu92GsFSk26E0qpC/0cqvTADAg0plOmyUxVXyWZnn8gM7ZEZu33dXevz3zmM+973/v8POqC5bUqVpW39v/zf/5Pb/DxzNsKD48vfvGLsfCzn/2sN7F+efRYYC78A4HPIpAJIB5lqYoBTjiNzKpMT3nXu97VbxReH+OHFRGNVqeAhUYIpeAoffnAWtB444x2zOitF31ZL7tCSS5dELTYs9HLxLQqi3MLoWpQNuyBhgchMVAaggaMMgez/wawIFbJupkp2aylNHRx93rNa17jxb2fhjwqylhed33/93//7/3e73ls9D7Mr0b//M///KY3vcljpmznscAq6e7lmdLKFBoR4ITTyK6IHmnOPvtsCfbnf/7nPe7+wi/8wqMe9ajv/M7v/Mqv/ErcutWtbnXWWWcxQCabar9FLErzVyWceuqpQicotYobV+w6z5ScExgrGQAC6ciAwCeBvRMHiXUnO4A0eWgqi6IjnyBaJWgtIN+sYe5lUuZoocydxiL41csTJY1W3y7Zy5PgBRdcgFh/93d/h1v45Gds56OMZdee9KQneTfhJ20Xf78IgV+15ytzwmnkSyATeI5AZ7/4SqcPeMAD/BT6Ez/xE9Is4ovYsS108v/+3//b1spAJukLZMK6y176ooV9FbcloNdKxiGro6RRYoySHhizVDJAGhqMcQVGJsZGUVpHVfxjxj8QWBaQocg339KkzNRXq6yMyaKO1bNWlDiEWJQ0YLXnK2+JcMuLiQsvvNBvjh//+Mf//d//3VsJKUA6cCZ6irTCZWVuDI2Kh+spxSrQ00477YwzzrCjroQeKh796Ef/9E//tNckz3/+81/96ld7avXCzZ75GdiWm7lfD8zzu7/7uz3WCp3eKpizVk7IjFU5tyi+TCbPxnppBU00SpZalZq41Z1Az8aqkRHLgcgPh2UmWgu0Eoryi6i8vv/YK1zXoNev6yZGP5le85925dCl3NIUsFdtu/F4MkQLawU5Zwtiba0S4JmFmkwmNL7kNtSiWVhNZWVOOI3G47HxZALnlLHxHbu9GnHilre6WPL0pz/dqxGl36HY22MkEKuNdwzd7W53k72Eq7vSTOy6KZkqS875dHPEOWRlULbftMm6WwIa9tYIEupFKgAAEABJREFURKKksUy6I9aOHTsKBSnn4Fz3/wawnnNamLJ5mSON5QWaAnpIubUm9FYeNOWcrTYnMjcCWXyyrSw2VrUs0QmnEcKW4W2Y/S5RCkWI5qMqyrW1NdnIY4VnBPbugJRC1Koke6t7n/vcR+gsdRS6vgQGWpXf9m3f5rg0kGlbI63Y86AHPci5Lgk71/22hWcPfvCD733ve9/udrczClLyxid7o+vILXBrBem5BZqbNayP1ZhPoczOvMwayqwpaayYZaFhDwR662A1CLbMciGQHdGKT+U+UDyfcBoZ3khyhghMSTIQK434QKy2U4kBwqURMcFPCnIGvV4eRFWx5MwzzzRzrebAUqsp+ZagnV58elNgObSapznf5ja3+cZv/MaHPOQh3/Ed3+Hh1oXR9cs9TBb0fuXxj3+8m7ukJSrZiAfgHDjnx7Jyxe3NGr66ZmFGlsvqmSzBHAtMzVoBPUzGnfeTmugLGBfYNWbWxF5waEOtsC7F7CCNrGBB0epZhE3K6x69TtYjw34gCpZwRTaKaMSBXmTTK3oljSremDkbJZmlh4KPfOQjaPRVX/VVDISOYXKbJjMpTLJAutCokg1ENlX27l5+bHed95Txl3/5l69//ev9hiD9MOPH/V3JJ+jiEPzyL/9yj75Pe9rTnve85/32b//2c57znP/1v/7Xve51LyMajkNDiNxwVtZCkZWCt/pkYWsqUKVkr1eZoEEZKMWmiUDPQHfGwuaKUsmDXsoCSvaMe83AZkNOsZ0kiKGuYhNyRTketU3dV6VXsunanLqgVbWAXDSE0pe+nv2HX2XEnLsY3Y1yCAnIuNV1k/LuezweeiFOrutIH2afgzSaySekwF9oZx9R2gzJwyI2AqkqahoDWzh3FE2MtcorlCmlUvUCw5fACwL5w4JKHi5Ytr9chlgeDmPxaeO9T3v/+9/vKcPD4Atf+EIJ6ZnPfOaznvUsb02kIgPxZiNFYoN/+Id/2F3NUyTqOPvufve7Y5VLm+deSrc0XeS/Ery+hih9Tz/9dEohGU4wBHrx4we97wNLp4BRfKnEZjp4g4hkKyAGTaJFZfZK06xmu8SJKjMOOVHyb1n0FbCSH6MwExhXZKPrC5oY3wQ44TQyJeti2mZlaSwW2ZfeDMuiEPDGCtJbAsb0FkVVk5LGe9j/9//+n7vO933f9zF2MtoG13CbutUa8WDprbK15oRPG2A77aJU5AUJyiKuqMrSf8VXfIWLlEdIzv2uLiE95jGP+YEf+IGf+qmfcg4ayMsIv5J+zdd8jQC4Ehufds4Q/HgN9pu/+ZsS2Ate8IKnPvWp3uN93dd9nVMVdUQoGTM2upAwRmzm6yKoNGXP1QY1TXRhQ2YgMLLVI9BzYlATKSjedKckl1bLW2QhMdPEj6abAMeRRptHaz4mY+lN0kqhkbdHFtfS22ATNnPLpMmC+k4rKVUtn63SyzZbr5e85CXepT784Q+///3vX7pYZTabjxqCRdRXKxubx6FRjCgA/DOEgWySwLyU8jLCs55s51cniefv//7vP/jBD3rV68fzD3/4w17E+Ynqz/7sz/7H//gfDkdMMrQYuDWK2KQlqcvP70ovVL/2a7/2Gc94hjMUHIvOYq7MwnDi0RGDRWKylCLxpbJKZMtSBD5FC74t7PHMQKagu74iL2a68MNMJAhtvszYaFUarnQhn2gcO422+G+uwxZ624YN5qm0Ir6Lzog//uM/9gKe4DHK995RItP4Flogk7cKmEcmqPJgvVy0/+3f/u3Wt771Ix7xCOsuqbCxglstUBmRjZXlBDgk09g5nktp9a21JPewhz3sYx/7mI2X+RgbEf+04pyTVDb6q7/6Kweiu5SAb3vb29ozBnxyxQNiOc6kK9lLWnJo+j3hv/7rv5yDeClXGdqWMxY5e6Obr7doEpVHSE8AP+OX+ic/2UOlN3sOU/zGGNGWiYjEcBgvMN2tCapxxYkYNIHltSC6oDUDC85yq/U5vvpjp9Exjm8+FsJ8zNP2mLPVRCYP3l/91V8tu3iY99JIMigXnWJpRax7WTu9VC3NW9/61v/8z/9EuG/6pm9iZkt42yocBkYEo7O0vnZOSbYBaGG5wSj0fOKB9+leeyKKLkZ06BAYCMBAXLlOuWO5LX3Lt3yLKr1SkKhgOLnEOwvvwzDek6CU9tznPhfzDOpRER3ZsBew6TtYjfgN3/ANkpzrvMPUuzFhSGkuYb5mTtj73e9+Vk8AcpKOiCsdnnvuuSJEJmFzSCk2kVgf8zI7Sr2UgtdkuJsAJ5xGVtkS2DYTNkn52RcOD3wFJSHPUL/zO7/ji44fvljWwuqYPEuTt5cEy2G/bZKX3X/0R3/E22Mf+1i/xFk1xsw2heHAgip1J7AXBm/cKgt4sFv3uMc9PA+iqa3lX5N9sv26kIu9Uxg/XMCdrW4/zi/GmqQEaUPwXJmssegNpyMiutJJb/e97319ZxDC1BgAZvj+IJkj3q9U1sE3Skb0GkImkxcJ6OX5VDyWReSY4eXFq171Khz1u6kf7V3FnJ7ucN/2bd/2wAc+UMyGtmIiMbplMXflTYATTiM7YT9kIKsgzTqP/ExjS3zv7crrXvc6HMKkV7ziFWVxbYx8ztjk9VXqaynpfaE9c/nN2U+5Vtx32uYx2AqWUl9jGVSqU+pioTm33zYVA+zrHe94R4HJIsWPpVdFd/tRNoaxJgeQTCASOQlvkM+8GNCguJ3jSuT4ITcIVVUrb2hEf/vb3950uDI6A8SVohhgkrvX29/+dguiy1VXXYUf3jK4jXlPhiImi5SC0ZG9NOb5AEzEES97/diP/ZgfTf24hNmGYCwkszO04UR+E6CyZGAk+zSH6vGCtTY3pYkZyOQttO23x2D1ba3N1qRqucWgyliVbEUolVbHUjLzM5ybr9uMr7iVohGqkoGF1ouSJVLSI4rj0nO+q7HXj5aboK8ri1H0YmZH0YKlktJYttmGcSJyB5ZoOedZVBKMvCU9uEeXiRhOF+DKiEps4BmYmaDuSInHCG0UBjw7xe5yl7t4bgBK3S2R+YIzC1de+9rXSkvelBqRWz51F5gFdG33c6Qrl18n5UWZzC/w5lgWSpBCFZXSWPoeFwhMkBxaCoLZGWLu+YRnIyMZ25DiACtIFgdBKRpgo0mJBwQggyZQBdHbEq5s9ste9jIL+l3f9V1nn302DT9WWSszYElpEXkD11JL71bxgAc8wF0Eq1zF7nznO5fNQ2JfWVtoD3iw8bqIjX8+kYlAo0k83JLtq232MC9PGEUqsnO8aWJmdpiHfwZFCN31Qjj+zYUBt15mumC95z3vkYm53RQ8S1GvfOUrzReBOJGozI7MOfn888//xCc+4fiToeEd73iHNF9iMJA1AUuxqfPjrrwBNNLlaHDQxqqZleWz3LYHaEzDilhxq6MVCGDmStDKZiMskC3R3SJ6Me0u5YcOLwktd1ksVCieOeHZLmoie7578pOf7KrhZzXCr/zKr/zDP/yDa5ZWLLG7u3bt4oFz1fmIQhKDkk+WRlcVmFEwBkTiiR2BeDCcU0yTLTeuKpmGgMS4jlhGMQRXOjoQPf3ZeAfZfMRDBJEbUSYztDB4IIhQPID6QGMgo2A/cvNQqgbSRSsPlDcBbPaJHaXM1sxtv9xuXczN2WE1zRMIlsxa2BJmWjcNyAq6ZqKjBeLEHVNKcHVwNOjFiY48cGUpeeAZOVRt7WWXXebr64v7rne9y7vsciwKzJZbcQY2iX8xUHKiIyd8auWB5zlUkQkbdJEYVPVSMhCVJOdCozsnJmtQL428INDlk5/8JEtmPEuNVuNzn/uc65pQN4XYENF3z3wLRfTlR9VwJTZsNnd6Gq5MgVw0ImQpkk2dH3flCaeR5bBklhV1rIv5y/CmZ4dAq9LkLa5VsIsmv+kkddFXq6W0f+973/vcKpwsXi6r8g8MtOrOrMgGtd88828UrVIIA3rLLZEQnA422BOTOO0HG92BmS78aAVNoIsdAjSVaRhgNv/yAUtP6V4aSXgE7HFx8SbJPUz+87Ogsfjk+ayzzjJx+cm1XXVTcIuXxYBnHS0US7IwBM/ASqqKxLqZPp9KGk3srZiwCTcBTjiNzNA8zdz0rIJtcKWw8ZbSjiKWLbEZpmraFk4VWNLQAxk0OQgspZWy01bKaeX24JHYpYfektlOTkBfawpFxg8ph1IwvtmMbQMnLka8ve1tb/O1vuc97+kqgw2ixTkGYBSRs9RXVCB+m0eQaUArb8JDER3NUaZ58IMf/MhHPtKjFhqZ4+/P/qcsSwDikWBMH4eMpTvPm4I3oyhBPGTOwaTYY7BxKcVDA6YvTg7Zk+mVFoTxTYATTiNzK9OwK2BZfVm9+fD7qMcNpQcND6s/+qM/6lWv9x+WxlrYGAQqHZWqlDS2wTJZQYTwCwM/9sNd28awsXCMeSAYyNZaTb3sXMlJuKi7XeFHCWjk7fPnP//5O93pTi5bqmUgvdhwReCT0kSU4Bj144lHbuwUhrGMwtKZ68c4D02eB3/rt37rxS9+sTz3gQ98wD2aJQNh5+xn88Az2ehOIs43hS5I42tm0fhXMiOI368xnlJN0KRMDa2FjfFgFPGoGojMg143AU4sjWIOo9W1XtPY0d1797gXv/IVrzrv05/bc9Xuu975bve/3wO+5SHf+sjve9SP/cgTn/zTT37yk/6/Jz7xx5uqV8cmxmjy1iLEFEOqYt6xfXn3rquqOiwuL1RNfWC4Vvf6//Wud7/lbW9/4IO+/owzzrLBVrlu4sLSYNKNL7vi8jZ1/YXF3uLS+qQ9sLoSqmgPmClzSl3bHti/f8f27XVV/fMrXnHG6ac/ZPZy3KD2rOn3Yl2NJmNVXWKM9kaJN2jkhY2XkC43RizfeCSzo5Qemt74xje++MUvdpBdeumlftbYvn070vCju311TslDrlCoL6mY5qbAiXb20cugYigwil9O/NIiyflByVfRW2/vHsWMQMIwEILqUte18DZ1ftyVlVGBX+HOoboVcu42Isz+k5Styiqkbc1iNc7jttu/tv68P3/BLz3jl570Iz/xo4/94Ud/36Me9X2P+uEf/KGn/tT/9ytP+8U/+50/fOXLX/mB931w0AxCF/rNwBqmbnLl5ZcvD3phvJaGK0sLvboO6+PhuOpyr7ee0lqbn//Cvzrv/It37DgJWZe3LVZNddmVly8sLy5tXxqnnHq9lfE4Ic7y8tpoWPeauu7lLtShrrrYC00cpUFu3vTv//Gql73yWx/yrY/7gcfnHJv+YHV9FHv93mARk/Cgm31slUzgV4vhcOhH3KWlJSvW6/VsnhG02mMCPVx44YX/9E//5KB0e2OGhXwUy4985CODwcDbQotsywvJ7Dq3zIpDTRyiDg2BWxp+aPxs7Adj6Upg97nPfbza9vpAa9lHglGmq5cSY9XjBfFzKE7+gTz3XM2lYxVM6Wi6VDlUUkoIqY451qGugtwSw8WXX+1daj0AABAASURBVPaZCz7/3g9/8D/e9MaXveQlz//T5z/nt37rWb/8Kwf27B2ur1dVJR+89R1v/9Xf+LVX/Murcl0ZK+ZQ56rOsddV/S70IIWrrrjq5S97xRWXXW4zxsPhZDI6+ZSdk65dWVnrN700aWWdkHMvVMu9wWhtPcfQYncVQ2UG05wXQmhz+o83vuHd73/fk37myd/+Xd9pjU7euXNQN7uvvrqOld21kazveMc7PvKRj3T7cbt3qFlWu+Ubb6cJdlFHxhw64PDjvPPO+/znP2+b3bIxzBlUVZWD9fWvfz0a3eEOd0Ay3fUC7EELfWm00qgaVK/FxUV5SwycYOeLXvQiv2r7Tckt3u9CbmDi0fELiOn2nMjhfeerrqpyrEKsQ5VTlcZ1Wm+63mlL1SkL8aTFasdCtdyPg7puGku5NOj3Y2y78cLy0qV7dr/2bW/5xIUXhqVtE7kj1E1XL42rbaNqx7DaMaqWx6Gf8qte/nIniDd1e/bsDaHqNYPJaLJjedu2hcXVXXuXQ7MjN2HfmvKkwdI45lETJk2c1LGr47gOw5jWY3rje/7r53/1F69a3f+zv/C0X/3VX73Hne7S7ls9qbeI0ygiML+b+gFL6Xf7F73oRagj5dhv5/Xi4mJVVXjDjKaua1Ws8muPn8C8BcAYV2xEp2TgzuR67u2R54ymaZCprmt3/0IUGlQDxujo+h9j5BzIHgtYOhZFhXBeOXoJSXMiN/H6fVfXb3JdC1Oi2FiqboUuBns2rOIkWpMuhBRDm/J4koar7fpat76e1sZxPIldV6VUZ9udY1v3w8ragRG+DfpxYaG3vP3AcNLGJocmpibmps5VDCFOvaWlfm/f3t0vf/lLX/ayl41b3KiHq+sD2WrUveZfX/2Mp/38m17zmti2vRjG4+GePbtyTBKS+O10FaIMJzJf/cHiwkc/+Yln/NIvvu0/3/HN3/qtz372s//sj//kF5/+jJ97ylM9tPtJ2JOBi84rXvEK9xL3G4yxkTY+hFAEyWltbY1be2yzuSW7Dg6Hw4c+9KFeKOBBAT695CUvofn+7/9+dGGPRhyy5IGMmrglSPcnXdhrJSj5NNBgMDAuWX4yEEvVLyCqGzD2xqA3yoe7QqPVJq/0OhkoV04WF5HUT6NeGi713Fjaumqr2lWlnYTJlE/VZM/4QFiK1WId69jltoqNC0qX6xD7KfYz67oeu9L08spCtz7o9q8fOPP0U/ev7Ju0ba8Z5BRDF5b6izu2bbv80ss8zF922SULS4Nmx0LcvljvWAop97rQ78KgCwspKgetlBbycHLOGWe+9U1vRprf/t3fufzKKx/wVV/10G//do+Q3im4fHjj7Mes5z73uR//+MfxxhbaTtOfzD72FSgtgl1X2l3lRRdd5Ef+r/iKr/BCQWqRP+ix1q/67uPf+Z3f+YhHPMKxJZ0gBPLxwB92svHWtCQ8vXq9Hr0RGRi0aRoGpUow0BcWN4RGJWKTmQtzuWjmpe99DsE3fpDzSSmc2cZbTeKtx+FWo3TK/tWT962csrJ2ytr41FF78iTtaPOOkBfyuJmsLXftctstjLtqOGkmYXlhKYXp+TiuY1ultk7jRubpWnftMI6htco7Tz5pfTQOKW5f2DEZjYdr69u3L+/cub3qV7tXdl+xb9eV433r/ZCqkN2xE1anSn7LsQkSXezWR/uu3LXYH6yvrP71X//1z/zcU5/0sz/z5y/6v3/258+XiryY8EZRKpKHbF4IweYZ1N6bO4HSa2u3GRssl0gqBCXSvPSlL5VyHv7wh5f3XjS6oNQLXvACN2XPWd/1Xd/lXdq+ffs4R1AdJSRmDtAnPvGJGGysMqJWHAWC5ATj2QfDGHwBccNpdDRB1zn1227HpDt9mG+9Hu48rO45rL5ivb7fWn3/tfp+q9V9V+I9V7o7H+hut290633Dsw4Mz+3ySftWTltZP/XA8IzVdPooVAfWwri1/RPsqbPE1lWT4G4TxnUY7VwcrO3fm3K7OlwfDSd13cspduNOeF1Oo3Z9lEb1tt7OW5/WnjRYG+RJ5VBLk6obV90kTg/TXOUmhjN27sT1hRzqtt2+vG3Xvr1vffc7X/A3L/r9P/rDl73sZX7/cqdGF9egnLP3PZPJpG2n/1vKCER485vf7MKEHGRmbJRyibNp165djjbZ6P73v7/uOKELJvll5i/+4i9YSnge3R/60Ife9ra33blzJ+fu8o997GMdo49+9KMpEWs4HJqRVjkPd8kGQiGuVA1E8wXEjaKRtThy6PJQL+dBl7Z36dSUz+mq27T1bVJ9uzbeOfTuGnp3z/17xoV71gv36C/fbWH57ovb7tos3muw435Lp90tLH1Z7t+mXtwRql6WZWx5DrFt8mSpHZ88nJy+Njp9fXRS2w0mk5OWFq2pW3nV6x9YXSHMHsTyQlMvVqEajroDB0b79zW59bhf5xxC18U0brpR03VNhkuvvPSkHTtxbGXffgeiRBL7TQrZQYMcZrq0tESwbQQXZJtHaS+lBMnjDW94g9eMnqconTuUKysrKIJDstRf/uVfejPpOowNmngQLUK85S1vkW/e/e533/Wud/Xe8l//9V/96szYE8NP/dRPceWnFT8Ccujg00XGMiJqnnbaaTt37hQD8GOsI2/EiW69UTQSnKkeAsoCi5hDF6cEmITxsB6P+qlbCGmQukHXLYwmy7Pj7Mxhd9rq+JxRe45Tb6294zDcYX++7dWju3YLd8wLO1dHi5O2Dm0OE+8ye934pLa9Q+5/ebX0gLZ/7/V42zac5cF+ZbVKXQp5mFO9uDDskkwzacfNeLRzkk5b704/MD5nHE5ZmSwNRwP8iS5kadzLw15a6aX1OvV3LLlm1bHavrQ8XF1ZHvRDl+yfrOOQkkJMx/YrbSSBXitoopF77LRWGk0EdCklkslkDkS/zjJDxHLX0YoBLk+//uu/Xh7a/VDoPgReYFL6OUUvZgJw3nHIfseOHb/zO7/zx3/8x14/Kj0K+BngKU95iuwlh5Wh2duC8XisvGlwY2l0hCjRS2uuQ25C7lfjQbXST/sHYd9iXFmu1xeqtheqOvTchybtQgujhXbUG3cLk26pzUuTBP1JV7dd6kZVaOvULneT01Nw8H3ZKN1hlO/YVudO8mld3OEGHqLrNUyYViFX3iFUJ1XNOVUf7e7cDu42Htx10r9T17/duDl7mE5ab5eGQzyr2nHKbQgpxpD5yN5LTCEX1TnEbBLHAXH24chfJeTZp65rOaz8t0e/+Iu/+DM/8zMuYc961rP+/d//3TsnHGXJxkmn4wc+8IGXvvSlTlg/BGGk9wXOSq9DH/OYx3iH9E3f9E2ylMx04MABxjino+43AU4gjUSfqjiM7Vov7R3EK/r5s/3xR3vrH1kYf3Rx8plt6cLlfNUgHKjTes9lpW3rbr3q9g/i3sXeymI9HDSTfpX7dWhCk8MgIFYrtZyZ45ldOHU0OWXUnpXiOZNwdhdOmtIoVTl0Uw5VyhS6QU6nx/rLUh977jNsvmJ98JXr/a9a7T9grX+/Yf9eo+bO495t2+b0Nm5vU99JF1PAptAp6xTQCKLK8YB9LSjOZhSaFu49CCGHOe+clVKRQ1C6cqpSukspyRKe9wJ+aXnOc54jUT3taU9zGv7AD/zA4x73OMef6vOf/3z0YqMLcMv7TZaQjhuNBF1QlqmU9jXmSs4ZV3FfDJel9rw8/lQYfSaMPudnr9ztC2m9Cl3MqYptbvfnyaW9fOEgXNyLl1TtlTEdqIPH+1DnhRyW3NbbdFKqtnWhGo/abuguvaNtT3H3CnHBkKkLLtBxuvVVSk3O21I+pe3OHKezh8Ghdivl6uS26+mOk/rueeEeYfGOaXCrtjp5Epe6jEkpZhTsQk7BzTsgE6/HBXHDZ+4w5+y64ySy604i+QNptNK79HRdhwcyipwEDMj0Sl1wa/fu3TKWq9VrX/taN6r3vve9HuKQUitSckLm7SbAcaPRprHi0HLoLeXBQljMsb9W9fdV/b31YG9vYXcbV7qqzdOEU+WmylXb5b158unYfrjXfqQafywMPxPWL67G+6s8yalpszfZJ7fVzi7WOY1i3ttL+/sZk5a6bpFBCnWX6xyaLjQp1SH3UttMxr3JpD8e99tJr5sei01qB+1457A9c5hus5ZvvxpvsxbOGead49DrkkOtrcKkwmwrA5tO64YoC4s29rTNqu468+TRdV2afehRAYdocMutCL1QrW1bGtCXBrGWlpZ0J7iZYRjeaG3blgcgK28CHM+V2hhuWbXKnzbESUxdbFM9qgajZmHUXx42S+TcbKvqparux6rfxTiMaW/odlXhqqa+rAmXVOnSOu3pxdW+h/s6T7kSduRmscu9HBHPqTf0kJXG/Zx6VezF2Eup34VBF5QLuWqSnNLl0KU6jXtppR5f3Rvu2p6uWprsa0bjdtgfT/z8dnpXnx56gy41IXrRNYl5UmVkSrOkFmTTjRM7HrJV4UYJ8kc5wgh2nUayAQaYgUCUaDFjV3LpoWeDRuw9OboJMUC1tbW18XhMr69ewExH9jcBjhuNTGCLcJs2V2McCk0b++NqYRz6k7wQ42KMgxj6KffGsRr26pVBvd7v5dyPeaFj1husLQxWFwfrA5ekOicd+jtCf7Grm4krcDWJcTW1XZVCneo61jH0chy0eWHS9cdtr+1y6rrcDXvd6nLcuy1cutx9ann0rlPW3nnK2se3r1+yNFrtp9CLg6Ze8i3OOYTM27hGo9DGnKaaLeZ07GrrA/N+9rhAUmmaZjAYyChKJGBm+3GCMa4ADTNZR+qi11ES8iZCVZeUkiOME32ZMZbJgKwLJzcBquM4hgkc6i1XddPU3vtUMcSY6pgI2Z/YZbeXEKxBO0kh+fbnph/qfutiUo6mKKc0rZNKknAw5W57CMshsLDKwxT2xHpXiuOqtl5LMSzjQEyJ1xhynkpOpuCYilJXGPfyviZd3qRPDkef6tJ5Vbq8F9Z6IVSpn9reBHmm2SdmnIy9pJze1idVOnRGx7teFk1pJbquUxrBjICSBsNxBVFWV1dpMIONtOT3E2mMBoGAGRl7lGQafRnwdhPguNHItMEXpWAeeu6mYmNLq0lXjXPV1rmTNqbXjzDphWG/GlXIEFJsq6rr9dAixCpVTVc3XW8x9ZYntTv19snk9H69LU3qdtJf3HagWbhoUu9ZOGmysBRS2jmanN7EwVJc7Y0O1KFb3jau+1W9OIhNf5TqYVu10+TSse7fru3OvrrddlXqrWY70g66yfaYty8tuJLX47yta06e9AaT7GXXpE5pyiSrdJSYTjbEVBCrPEfRHF5aNH3sPRDi7EOQWpQIoUSIfr+PGWzITOiLhkxpGkqyXhySaVSZ6X4TwOqc2FFyDNauyimGLsQuhLbKIdr5GHJMde5q+xXboMaUKoauSrmK8laMdUi5n9JCm5Zz6KdJDK3W9SodaOr9/f6+frMaJbYu5aQKAAAQAElEQVTsOWvnJG3rJoOuaxLGxC5Of4OrUyW1uDP1utDvqr77zzqWTcW213DVxTYKLLQpdMZvct3o0k3PxxASA3GHWz7XtwInlkY2Zr4NdZ6eFEglJHqESdGRk1SBWapCW0Ns6zjsx3EvTuQH3+yEasnPGlUVJk231rT7qtGBargfurWVOGljHqR86iSevZrOWkk7h2lhMpn6nE2uijJC6KXgbr4thXqyr59XF5pxrxmHuk1VO2nacZ1c8LsqdNF4VY5VyFWFy7OSq1tw5BWYrfSRTW5caw72JmBPlUMNaepO0UX5ZyoHGxcoUoqZMVWK0y4yFaqF7O7SLaW8o6n7OdveLnajdtS2w7qdhNF662AKTsm8lMJpk3jqOC9NWr1S7c1319aJT8DYpTaektKZXXtOmJwd2lPSZKFtm9waMVR1SiGHKhOy9DaNN8Zafdp6DP9O+HoeQyw3oemJnbas4yuujNMtmtGobKldLTSKSVOtdTZnun6ue22sQoqRfdfrJtva7qSUT87R68dBlxZTcHLt9JNIiqd3cdCmgCrRceXgy8s511Vq42TYS8Ne9npp0sRxzV3wjunUNtwp5bu37Z0m6VbD9uRhuzx9XVQ53nKbQ6qmY0pIxBhzrBM6hWP/TNlehaMsj939F2GPE0sjE+5mqSXHJBvFHAroC1TrnOokD0wN8KmXo7IwI4a2Se1iSjtD5ZY9GKumQRW3hXh61dyuXr5ttbSzrfpdiG3iZzGGpTr3qi6ENsWuC4TpiHjs1rnQxZNTdU6I5+Z4Rhd3tmEhxZirLsVhFyddQGYZKIXQxSpXUa8S5C3l9a7AiaWRLUlVKAkp+LJndJmHlGLIMQccqnPodV49h+kLaLuXcgodZF1Tu5DTtlA5s/qTrh9yP4SFLp/cNeek5txJc9q4Xh5XvS6jUb/Ogzr0Yq6yn31zv0vuQ94NNbnmGY2WUrWY42Kuelmy642r/nrV3xfq3a27UTOJdUKgWKXpsZan+STPo71FONIKnFga5eibHfCloARSo04OUSU7vPzxxUevij7qQIyhjVMm5dzWoe3nvBRiPzCr5IlJ9L47jKvMNqXU9npdXY9ykG94GMRYxa4KLkWpSrnqQp0MEdqqapt63G/2N3HPoNoz6O1eGOxeXLhycfHyfu+yKq40vVHdTKad06zHNL3VOcU87X7LvyOvQBVnn41G9gM2am6M7GRpQ54dbXl6buQsWdSpamJTxyaFqpNzcgi5anJVh3plMhrVoavjqBundtyrqm11bxDryXCUe71hv7+7V+1erHbBUr3vlKVLlqorl3vj5YEuoe0GsVrq9/xygmSxrmOMbc7juhovNrv76TN59eOD/KF+/GA/fLgf39dL7/PjXS9dvNgg1lpTT+oQ9BFKzE1O3h3EMCNV+FL/oERd10pf3aqa0oZgqcq6VOXPiS1jSlXGJFuLMHUKlXobuhAndTXpNVPUMYWGphkM6v6gV1cLCBHi9gS1w2hQ9XPdW6nilSGd340+3a59Yrzykcn+T9bd56puTzapMGiDR/rtuVqOTS/HOlcom7rpATmKYW8vXTnIn+3Gn07t53P6fMgX1PVFTX1Zr3d1U633mnEVpskn5hBQR4ihJp7Ypflv4r06ofOwI17Y1DYlBDSCFAPlbNTYhrhe16uD3upCb63fG1YMaydKPUmDcVoe5Z3jGSbZs3rdVm1XHWjjlV2+JOTzm/jZQfrUQvjoQvp8P+yXQ7p6WxtPHsWTx5Wb03IbF6YZrq6DnFR1dbXSr/YNmt1VvS/09ofB/mphf72w0l8a9gbjpt/FGEOosvDSlO5xujCinf45tn9VCMeEY/P+xWltwicwMF9v5wKkaG9SW4VcllieqJpRFfY3YVcvXt2Lu5pqpakmTa/rchi31bjrt91iF6bX4dBUVdP2+ut1f7UerDT9A73FfYPB3oWFvYv9vb3+/qo3YRN7Taxd1RHo5LZeHIb+KFTYEZom92JyesYJYg2W6sFy1SxV1WKsBrnqSXKxnlK4l4JQY0hWBIG6iFQiPrFLZKz/BjixayTx2NcmTb/lXRUKyqp1VbUa8xWhuzgMLw7jS0N7VZXXZISq34/Ty9Ag1k1Vewu03oT9TXVg0Nvf7630Bmv1YFQNJgH6XTdoukGvHcTUb6tmvW7aqlpM9ampv/1AWl7PVWeCVZWqflctTPvkhTYMxnlhkgeT3Bun3jj0Ji1hoeu8jeynhEwiTLFqY9PFJke1W3A9K2CVr8fixjS7W/S7AJyk6FxLmTRFbGN1IKQr8+iSMLkwjy/Ow1253RtT11Spjrmqx3VYq9OeOLkkDD+fVj+X1s7Po8tztz/U42oQ5JKwWKdB0/W7ttpb5Ut66bPL3flL3b5+bBGw30u93spSb+9ivdKPw16denXV1JOcJsFFaoopRWJC3V7M8lBBlZMAU6hSlMusD1DcgiOtwIldI9mon4Lvd5VDDiE7MKJoYgpVqupRXTnUdvfC7l6+us57Ylitw4EqHWjS/ia5EV8x6C5amHxmMPxob/1j9fAz9ejiut1XN13Vr+NgIQ36bW/Q9YdVff5C/uD27q0nD9960vBji8MLF7p92/u7l+vPL6VPLU4+szC6sD/eXbcrTV4bQLc26IbQT+OBV0wp9HKIbRWmD/lTGmXLUoVcTyHeW3B9K2C9rs/kxrWXWxEfMVd1mg6XYnZRqeoQYtU2g3F/sN7rD5tm2AsyUGcbY0pVSk0z6dVr/d7+fuNqvH+5v7o4GC30Jv0qVTF3qRuPutG4qqa9djfh0l64sAoXxO7COLksjPdV7a4gyY0+m4af7Eaf68aXtN2udjzuxa6Okyp0MbWxa3ObgvtYysEnpynLA7aroH4VppmJfAuOvAKVNwGw0She86Gfpv6UCHTeFoB75xwhWv1OiRNdmoB3QKpzA9/uUZNGdcih8rzeT0rffpeRSfarl1dIyc2kH+JyrBdSiHUde2Ey6Npel+o29Lp+k/pVXoihH3LT5dzlNnsTVLkrj6pe21tMo7iW+3kSm8moGUyWBt22YdWsNogSQ9MbN4OV3uLexW2X9xevbAbjxR0h95ppGLEJsZ91zXUOMYcUq0kVXasJIaQqtDFOYpiQjxEb1/Jo5CqEo8fMYUzh6DHrceOLGGPXdcrKVXNGCQJiFM8mUIRDy7Ztqeq6bppGZy4msw99SokLoOeoNPVmH0q9KAtSsMHZK+mcAwrELqWua9MEJBQbGWMVor8zVGq5CQVTbRXkGqNPEUIM5TNdwTbEKfL0JUDbVSlHrU676Q2oi3XLewyU5j2u6rWmB0OsquqQJcUQZ9SZlxznEHKoZqUagxRCG4ISpppb/h1hBaojtMXZ5xCDuq5xJaXUtm3XdVpV67pur/lQAgNM0gozNzJNjZH92WcwGNBvBOOCjcpb5JvLCmxJI1tuDtiAEzYYV2iAUhUI2EOjiZkSaOZQRSCWBWy4KmST13SH0rSxpLwFW6/Alvu1dZebouVIYdldey+KQggyEuQUY6ihik1B6sJoOFGC1pArILeTNBl3/d5Crxk0db+uenppYgPkw6H1KDD1f8PNws3/M1vho12Bm2S6W9JI5kCjGGPhEBmHZBHJhkZ1OByurq6ORiM2TiokoxSzKpumaSgdXgzG47GOHGrVt7Qy2whNQMPJptD6BYGQjglfkCC/4INuSSN7afnsOqGQAC22b9++b98+Qe/YseOUU05RLi4u4kopXbI1YRuGFeAQJ5TAD6ohE7BRLaCEuVyEw0sebsEX7QpsSSMEkjaQwJaPx9P/c8zl5eXTTjvtIQ95yPd///c/4xnP+N3f/d3nPOc5T3/603/sx37sB37gBx7zmMd83/d938Me9jAGD3zgA+9///t/xVd8xZd/+Zff+c53vuMd7/hlX/Zl55xzju5z5iHTITAQzRftSt0S2BFWoCo759u/sLCglEXkBnlFBsIerdhzl7vc5eEPf/gv/uIv/vmf//kf/MEfPPnJT/6f//N/3ve+90WUb/zGb/ye7/kexHrc4x73hCc84UlPetLP//zPs/yVDZ9f/dVffdbsQ/fMZz7zF37hF9hw8sQnPhH5vuu7vutbvuVbvuZrvuZe97oXwt3mNrdBuNNPP/3kk0/GuaWlJecjNpd4hARknFOSxSxIVSUZ+9kDuWA+eU6A0gQLNNEoKXUkE4CmYC4XgY2vlnJTSzbFLQHmHubKuaCJB5gLRVadg2YOSg6BwAkByAwEU6C6EQxYAhvQRLZEZaHIDDaCQcEhTUVZSnPXykkZkVz0ysqKG2ZtbW3//v3kbdu2sV5fX7eX8oqNf9nLXvbKV77yt37rt/7X//pft73tbbHN6cYRLzyWsAh6IZ8mBvbe8bdz586TTjrp3HPPvfWtb337298eF+9973s/4AEPkKu+/uu//hGPeATy/eiP/uhTnvIUue03fuM3yv/uE5r+4XU/fzT7IN9Tn/pUme9//+///dCHPpQTqe7ud7/7rW51K6HKc0Y0uqVxkpoOoUCcBYIEkYMpg/kXGyVSmgtLSk2mU6CqFTQxYIa7UFq5AvZKoDR9YVgKMv0cPAAnYiglAfgEAuVGlI5l9LmeGbcGAk2qJR5TZsM/0AMDliBUNiw5tL9uICIENhuhe4GOLOcoNqpF2KqsXJO1STnGsBlf93Vf97M/+7N/93d/9+///u92VKaRHgyAWEIURL+/UNe9nL3TzG2rJZCDF3deSecYgjAaBk3T7/UGMB77AWKKycRcvN6rtNIPh+7d3kuL0GR7TdMfDBaXlradccZZZ511Du7d9ra3u/3t73CnO93lbne7xz3uca9HPOJR3//9P/CEJzzxKU/52V/5lWf9/u//4fOf/4L/+3//6nnP+3MgKwv+7M+eT/iN3/hNZj//8//nx3/8Jx/zmMc+7GHf9ZCHfMvXf/033PWud73Tne50u9vdDr/NF/msqV0nWASXvH6/bw5itQFys1nPIVbQCvaGARAYTxciBK3W01rpqImSxsLybxSYLWCfBjjRqglUwUIUaNKdZwwzuqpWZtB1OaXpmsdYW0aLtrgo8O2qFt9eaIViRjAdvXQ3lnj4FJuvmSqE2ccQs7/c2qAiXltq1fHa+mZSJQT6lZUVyeOHf/iHXXecTXJGGdvw4jB5Ve7MjccCVXGYIZh8USqtKZh/gY0p3dmw16uAW+CfstgrddeLICR6XRgw4+HA7CNOsFUFluPUU08944wzzj77bNcvZyKWOBylPenqwQ9+8Ld927e5sf3QD/1QOW2f8YxnSKvwm7/5m/Lfr//6r//ar/3a7Lx91k/+5E/+xE/8hGxn+o9//OPd9qS9Rz3qUU5b97z73Oc+sqlvlLEslJwtMBCkaO2NfGB7EEjMZUE0makmenGCVmY0uphpmaNWSrC25g6l1ZSteRmCJVf0+nJePKvqoju3nJdxtRZj9oYAZkDQiw2fBQyAMWgq0J1yDr2gVJkdAZUIqxdJdgAAEABJREFUmFoXLuQB1xGjmlWZgCYTU3JhJCUZuFbVBQilSgA2BZRgnryBOVsFznUHAs9AYGaG6OL7alwyt5RadeQBdKHhmYGFsMqOTuAWWEKxYQacsJxDF/6VSOAZ88wzz3RA3/nOd0a4r/zKr/S1+Y7v+I7v/M7v/O7v/u7v/d7vffSjH+3Shkk/+IM/6Fh3tysohCvko/d44UR2LrP3bPHN3/zNiItweIzNd7jDHUrCs7bmJSThmSwIdQ4RllCVZl1KgklBWTF9LSzQW4ECVcZmZF5Wg3NmmtjQcwtaaei1GncOo9MX8AN6FRRlKennKJqtykoQvNst329xs1Pl0QTAeKqCEAqP9MqNYK+VGYOCeStjMBMwCpitEgg6stcX5rKxKOce5gI/JatZGgaGKwHLTKWvEjTxBvyYjm+IbypLE6GhZ0PWncyYf54tugiZQWmip7H3aMpAwI48eUjCww/M82zh9P+mb/omzMO2n/7pn/bo8OxnP9vT65/8yZ/8mWP1+c/3OPIXf/EXf/mXf/mi2eeFL3zhn/7pn0r2Lnk//uM/jnmI69liI+0w2z3PQE5b8JBhXDEIQBgCLuEJ3nTI5mLLClQpNTEDAtCYhe7WzTSVc1iKAsYEZQG5wCIUGBqKcqtyesW2ZPbVeIImC4j1fFQCFI9KHpUMjKo8HPQFpclkwHyA5zJzG2agMiWTNLqSW5YMmBF0pzE0S60Skl6a6ClpEMsSqzIDgYGmUsoBWtlwbiBKltzqWKq6CMlwtoFzo4DuwLigyCz1NSmjF3tdaIASih/h8cMADGQUAaCCHO8h4253u5tnggc96EHyliTnQdUJ+2u/9mu/t+GDhb9zzUe288D7tKc9jaWj1oOwQ/aRj3yk5x4572u/9mtRmc//8T/+B+fOdLQ79dRTDWcTzVrkYhCJL5Kvk+8bEFQFKdQyqTIFlqYAJqgEGjC1OVgeARW70sy1/hzpb60pjQQWlAwsoQhsyKDKQNBWTQmqeoFWUKW0Q3yCTS24/PLLr7zyyj179kgbZlscKtmD7jyrlpBEVXrxw5tWTZRgCJbKAnrQq6yX/S42unArSItYlGwoafgUmO46Aj0QgJINGAIIc4i5mLHZiHl4DMDoxY/uBF1oBGC1RWhfORSD77DTVh7y4On6jxyO2q/6qq/ySOvdigcdT7Vurl6ReAD6uZ/7OfRypP7SL/2Sc9Ylz1VPLnTa/vIv/zK9R1p3QcY/8iM/4mrolcq3fuu3Yt4973lPnh21BjIuiErw88DEBiVIJZQmJcsjoHLDd6t3yV9YWCLM7vYLnqro59d+rapKGqMa3mLZFX5VgVCGNF6p0jADgvWit3/ve9/73vjGN77zne/0Kvyyyy675JJLCF40sFEytppkAm++VToW9vBpOISz5Qy4EoC9V1VqshM2RqkLJQ29XeSQK3o7xwnPHm3MwoOhB0aTWl8fra0NPfKQPVQSlBbBajAzZYIH0tFooiObqmq0elzlgUywaAw8Lunr8dNwZSARgkgETFP05Dk0MRBS0VgiNnZR2GAiSsrSl8DSRCyIJIdzXq05AaUiR6HT1j2vHLjueV7myXnOTWnvJ3/ySU996s/90i/9ym/+5nN+93e9VPnD5z73T/70T58Hf/iHz6X0PPv0pz/z537uaU9+8s/81E/99OMf/8Nuhh5sH/zgb7zvfe93hzvc6eyzzz355FOtg8laNMtivmBxrEAJfsu32KX5xpdl5pZs7969733vez/84Q9/6lOf+tCHPiTHmrDVecMb3iAn/c3f/M3rX//6f/7nf8Ye31G56m//9m8/9rGPfe5zn2NgQRHu6quvvuqqqz772c/u2rXr05/+9BVXXIGIF110Udd1WGi5LbTuPNsekXsItSsWXXcyM55x0aBKIeGW7yUD1WKjYzkRDIeXuChlMiCI3xby4CnEUyMndpoNpTnywJvRjftFBbO2MiZrChbBmzxnHwp6ieJaJuHh3Ld/+7d7jeeS55HWPc9zg5Qmzzlk3efc8P76r//6ec97ntd57nYOYgeujOhstQhlsiecRihiDmZi6W2ScH1LbB5+UMoW55133qWXXiqFeK4mYJgDXt7SkZmNOf/88z/zmc8g33/913+94x3v+Jd/+Zf3vve9Vsd70X/4h39485vfrMvLX/7yN73pTfLchRdeqCpdcf6Rj3xEzvv4xz+OlCaMfC5Mmj75yU9+8IMfxDzxoObu3bvpUQEL0c5yC0YVaJBGqZfLBwFp0NQ2CFIvo4jEBMtqGqUIXzylmAsECaZsXiDUAlP2BTBB34oC3w1KvSwF5sl8yCfbuYo5aj1bOGedlU5JDstMTziN3P58g0XvVJY8PLm89KUvtXN2QvTiwBXh+q7jiqrvCn3ZSJdT2+br8u53v9vm8SAbOendFXR38FsIKY0HucT03GHx5tWvfvUFF1yAtS9+8YuRT1+rBij40Y9+VCT/+Z//iT0e+z/xiU/88R//sXMWsdDxr/7qr2Q+DMY8OUkXzJNmwFIKQJVeSCaCmlyJXAxAZi/ysqxfPCU2gHjQHSyUIAFRVH0N5mAD5kIPDBgDY7CeVqDosc1kJWk2usAJpxF+4ASyyzTOcg8dbou4IhnQi0zcyG5fZYgiy0A44b2Ly6MN8z0Qt92VhD0hI6LcYxp8ui2WNXK0oY5tNm35g5/3v//9DiYzRGLHn7PJiMjHQJ5jiRxIiYUe4N/61rd6uygYdKGX7RBdMvMrkL7yvPXCfrRzmHp7KdUTWOK9WYiBW2Mhk/KLCnOWCBKsG4jZEmkSKqVyDlNgUEpm4KsC0pLSV0irdGVVrUnxoO8Jp1EJyNiALqI3vJ3G7re85S22H6UQwg8UHmgFZLN90R0ZNtg7aOeULZdvMMYc5DabqhfSYBui+E4ghyShl73n37ts5Lv44os95vj2+Ca9/e1vl4rwGG/QwutBZohrXGHIPfxLdQ4pZDKQZRKAqiXGFccZiouff0eqV5SuDiIRAEtDWGuRW1P2W4HBFwSIXkIqo8+DtGJgSQXPwILYFyDMYWpACWYKFpNDHVHKzupb3N4UNPJNNbYXx/bPZojMk4W8gh/03/AN3+CGZO/tn4cOKcEO+UXv7//+71HBj692C1f0gsI82w/c0piz7OKEcqJhnmWy6442rUaUhHR3kfSK+b73va/RnWtym8PuXe96F/4hnBNNPJTWCKwL2beNcytlBf2u4iaHpgb1TYC3v/3tZK2MGSjJYFDyFxVQRDyWxUKBSQlYnL4/viFmQdbKzOIghxLMxdZQ6gvFAGkoVRkQ+OFQFU44jYwhCNtjAliCKyLwtbbx7tqubL733pS4ALlru/Q4+JDASzYaL+vQCMnud7/7qfJjv22hVoy0Cs4+DLOv1uJ1r3udm40co8kq3P72tzeEQ8p3iIFBkYOZG5iXKNIJSweuAIThkZCBgSyrgK0XQcyWSRe5ih8pkCu9rDXPL3nJSy688MLyvWRpdgbV94sNNltsJlICM01xmqA8BOZCpiyMscLsYWMXTQx4YKyvyVoHNozpD7otf25waYyCrTwYz1qzKUP6ltsY0TjX0EVpj51NkpDc4ERjT6DBAy9FxGpKEgyl6F2YvPz1yFA6ui05ejDJlcvzqmc9DxGavO1FQZcq+YnsnZ7wpD0HvJ8vLIfLO2rqKFchLgFvHK9WlrHW1772te5GSIzlYuBZXz/NapW92OtILySyCM2IbI5Wmd4c6YvG0EBpJ+wZY1VfaJaq9AWUG8G4oLQqN7YevSywArGBjdC3eONfMECzUU8ulswKigF7MYucQ3rB0xec8GxkMDtkMJEpfeNxgowuDi/scWXxXbfoojclGylJSAAIJ/HihFLcotdERjXGKGhWupA5wUV95SfOjWggrXqdeuqpRpGHUAdLUBN7EIIlLro84SVLlzDGnmClGYIU5Yd9tNOKylKgvpLWfe97XzaGdiBimCZTw3iTIhhCX98ZJZ84RBYhvcmKn4BeBEqCOPUiF4gZbE8B+WaEE04jq2nhrJrV8Q32AOV5G0tsrYcdOcamugOhOTbYAGvHHl0IOGGJbQba2Ri7hTSqdgXzVLlFCPZGAftkY1yVjEWpi47u1PKNVk2qRuFTXyXmGQVfWepbuCgwaQyB5CGpjhm64C4lG4nq4Q9/uMyHT3waiCuE4IGlQfmkJPBTJqVJR0oQuSZhGNfEdSlQPQRFrzxE/8VZPeE0woyyiNbXBr/mNa/xqtrFVhLyS3h5dPLmkOYP/uAPvLl2uUYU8EzEwA/j73nPe2yABOBRn9KtmcZ+2CeckAzst9Km0rjBGM4+YZhW24AKhrZ59hsbbENpFRiZ3jmFB7Ycz9zKeXb3502rXAhGlKX0RTg8NhbPWjlHdLL06fuglaDUV/xgRN1VjWgKQtIFqwyhu6iUBfRFuJmWJ5xG9knCcB6BPbZMEokX05bV2vlyW9zPfvaz9t5ePvaxj3V9thno5cnIj9hygJc6zpHPf/7z1t222QNc9BqJvefwV7ziFZp8s11+EfRtb3ub6qte9aoXvOAFLt0SHrqgIyrgk4FkPh48r9H7Zebf/u3fvJ+0zTIlBhhIYAZiQ+MSjV5acQiTnI84pEQmE6HXSmapCpoQ0UBknMZLNgRV6wCIRQZz16okFxRZCTTKQyAw0LQpNG2KTY2Pu/K40eiQOc+r9sOGqRKcL/beatpUW4U6ltIeYJj98Pgm2Xgh5Jvt1KPxzPUd3/EdLrZlp20S8OArjogM/DyCNLIRBnjD5LfJxz/+8d4deML3pXcv9h4Id43rMVAulMa840brD3zgAyiCoPiKi15k44ezD0HlvH/8x3/0BpIHRERBz3H6ehXp6cxWyVX8eBXpR0BntEiE5z6OT4L3U4zZlUMZn0yQHpl8W8xXZuJWorImJkKzcUetUgH7jfovfvm40WirqVoXq2ntsMSOkq2Rp24ksI5OhLLQvu5eB2AJktHYNjwjOPt0kYTYu1TZeFnKKyIOyfZDL55lNS8waSQnO42Itk0TGTXZYwnPbj+62GxOME9e9Erd8783kKimi1Ee9ahH+eEPP7iyzY973OPcpr291CpyLGQj5Uh7+Ecuv+uhJl5Kh37pY+ynFQ90gsQww3GF7mywzSKYrKo5ahJhQVlAy3UIiv6LvDzhNMIGy+fLZyF8F+2Qh3Ppx3dU6Tsti9hvOcnyeYDHBhnCkxGSOWKcQTgn/WDGQx/60B/8wR9k6fxi7FyTrmwVVzKEO69WaUA+sDGOD4PyYHfFIBshihg8bdla3VEKCWQOnJApmTkZEcUeuy1JaTRIjBCcCEYXBuiI6y7dDlyheu7j0+suz33Y45numc98pl/9OEQR46IL/sleZmFebngo62w1awerd2BCBU7mMBDMqzcL4cbSyC4WbDVbrb7T1kUy8IxDkAYkAMfWYx7zGCuLMRggSTiJLKj8pEmCkQN89e2NVs9N+GHRn/e859keybUV4uQAABAASURBVOme97yn7bnHPe7BoY1XIhxOYBhW2UWtRakvM56lhxCCIxKByDhkUFQWIWNhsNcRZZEJdVyGsAdp6MUsNcol3oKiLIKyZKYjvdeeaCrDeVPgO+OQNQvn5l//9V8byMr4pcUtzRQsAp8WxCy8GcdCGn7EACyBwDmhwOgFzKAoDy+LzeHl4ZYnQnPMNDokUBMrsE+bwoqLm430YIPtnNJWWWt3ka/+6q92g7FhUoL9dsrw70vMAHscKI4YX3Sevcj53u/9Xi94VGUUzPDblrQhK/BjOz3rIaW35DbeEA4yV3XD8SO1GMXm8SwSv8XKbQjkfHHkuQwhpVuUTMPAvfuf/umf8ECyEaQh+CcgHwqitYnYewaISOZKmvRGiqUEUzIWe18DL9l1MaKxBOyXHIEZAkt0lB2VplbWh5m5k5Vkws0Ix0wj094UR5izVbN2+GT1yxpZVhtPLwfYHt9gPt2BfF99WRnbIUtp0e0KOMjwzHfaVmEGthkOnzjxtpqGc/vkKQ+3JDOnJ8LZSwRyUHLley/baZXJ8OMpT3kK5z/5kz/pdxi9XOQ9T/HDp5Qm3zh86SWhF7/4xa5BhtPL60rRmgXCIavgecYndzLnlLFQ0AUO6JFPwMwEI8EIAI8519dMHYtOZJYWQatlAaNYByBsBWabYiv7m0Z/A2l0eHCbzo3SglomKF2sGlgpeoITwSoT8MD2MMMMJTJZdHoHln0isLfTWgl4hnkEVYKsYyB7Uwx04QoVkBJfGTuhjEj27Tccjkpa7CUSv5ZIJLrIf1xJIT/8wz/8Iz/yIyjiYP2hH/qhJzzhCY5glHLv0V36FAxXsqD0KU6vIgm86SstuTibC58YbwrIV67/ZCxkg1v8SMCqqGwK5is8IIhWSS7LdXMpj5lGNm8jLFnBVhPWao+BoGMxI1hWm2HVQL7RSrCXNsYikmnogWDndLH9ZL0stG2jZKyUq3S0H9hgY3Rhw55sXAb2jCVZJrCF/Esz8opDkCW2abX9YtOFExresFOrOHmgJ/CJBIgoPB5wUS+MeeADH+jwokc1B5m059WDVl8SejRyjPIgTaKOJGRofJL8/AJo0P8GOGYa2UKwjsqjAUvbZqUYK+0lECyxElTBrtg8VTuKK3aORnbR3eZR4hAzaaY02QM7DZrsn8xBRiZ9dcQAdNFRJuNWLyUDSsYE/HAldzgy0KXsMc9ajQKaHH9ccULPTDDCc4U3Ij/02ICyhtakitm6S2NkgiEMhHylFDCNJsOR0bHoeaM0IhC0KsnGOibosimOyckNNj5mGm06kgmY/KbAA616oRGZoEpQ0lg1e4xnRbBhdo6MEHalNDGz4uzLNqjaG6XhKNnYVCXo6N7KuUxgazHPNtts9vrqYv/0cmdiqZdxDcQJlshMOjKjEQbacaiLVjtN1lcrG7145seLR5b8m5SwWRpOMpPzigF7ZqAXtpmRvqpOT1VREXimoQd+OAHCVtC6Kbayv2n0x0wjawqW4JDSxmwKy8RSafKmZMkIlozSWoMlxhIOpQR7zwmNXbG1vtPs9VXS606jrx21zQRK28aArC8PNtXmuclyaI+LXgpBGpwwnNFdm/hhNhqN+CHwbI9lIAwwLv/MhKHkQUeyvsaSbETLnnOHFMG5RnbNwglujYtMXFGCXsWbkmcBiwQIVsCghuDEEGAsspJMuBlh+n/uaEoiNmelDTONIpA1ma2lMXMLYZ8Ic9iAOTQVMIO5DaF40Gp9VcHy8ayk4YG9qgV1y2GMFkZkX/TCUFUyYKzVKnPCUpw84ByZDcEes1TVRMOSzA+97pQ0nLDBDCVvdpqg6pxlKRLGNCyVVoOGGdmgqMAtV5TsCeJUoiMbgiG44pOgi9Hxm8APed6Lho0h6PXSV5MuqkqthALVjSjKw8uNNjdGPtzzXMOtUJU0JXKCKkxp5A8I3UxMFawUWG6lapmkVjYsNwWPBaXVeAW6bAqeN4VBN4UNPhy2cCsU54KHjbK5bIpNg6Qs0zm8LJPdqrTKUFoJUOTDy+K56DfKZfWURaksNjSbQqibwq5tCg43xaZOKMuguhRhXtLAtTTSYH3ni27pyUApjo2OdDt6cHtcIIA5xAOlStgUwgbxF8xl89oUm3L3CMpNnVCWYAxXBOVGWfUQbJzFRrmscKEOFsJGWfUQSIGb4hCzebX4P7wsoxy5LBuqLzMlVFT+AGHjDGkKiqmyoCgPL0ursjTxdmTM53OIwMOmOMTMkh2iOaS61egb57hRttmbAjOOCZsyz2lY2Hx4WZwX/SEyJc28LOFtjHmjvNV8y3YcXm5lv+niF6UVLkLxRqYp8rU0KnXeCcWCEZCB8vjCQDcG8y/uVk6ONVq83BTmvim28j/f2iPv+tysCMVYqaqEjSc4Fs6r5GPCprSmxM5NYeitIDbLXkpCWfmyDofSiNaqHcKe0kGpM4NNobWgtHJyZBSzoy+L842lYDZWj1LeKqqtut8Ae6s3h+5F3sr/XF+WYmN1LpeZKsEubopNOXEEpTy3KTBsUxTj4pBMwDbxlLC3fOCfz4FQTOdCqR5lqdemsL6boiz6kcvSsdhsFcbGQdnMq+RNMTPYpLBSxwSx8a88SjA+HPrOU2OZJg0U+ZhKvTbFVpNCjk1ReLOxCZvnkV+HRoev4txOKCX6ueYQYd636NkXlOrh5VbTENymONwDzXzQwwWtBcIogpJ8uGXRaDomlNU4vCzeyuwOl4vmkFJgUJQEKHIpi6tSWpmiPLzUa1Mcblk0xzRZxiUAZeluLEplwbVPauplUTY2UxaUzpuWxaCU874si+ZYSx42xUY/c4MScCmLcm5Wqsq5hiCqY4Vem2IrPxuND7eZtwqsQPBFKOXcYC4U/bw83GfRzO0PEeYdj1I4pPvGqlCNhUlcIbSjbd56nWw01x6lwOkhlhs1G+VDzI57dT6WGR535zcLh1ZgU9w0wR8zjY5pn0zseE2Dq03BP71yjmOKcN7rJhbEXHC8xi3ejr48XuMWP8dMI93sExCgxE2Yg2Yu3wTCpsPNw7sJAriRQ4h/U9xItzdx9xtCo8NDLAsx16vO5VuEsgKYDVbmEJTWG18e4nZevfGej8bDMdPIWmzlt4ReWjfKRXOCSgMd7vkIQR5uXDT8HIYjKUqvL57SlDfFVhFuNbet7I+sP2YaHdndIa1iPURzg6tcbQoO6ZVzWM25/EUriLngREdYRjm8PL7j3hAaHXmfRHx8Qzwab/NBjxzb0bi6xeYGrMAx08iGeXNgJBsGhMPB5npxeK8bqSkjiq1gK29iPiZs5WcrfXF+SOshSi9gvKSmFHOJtpSqBboX4fBS06bgbVNsakx5uOei0bQpOJ/ryXMU5THTqHS7pTz6FbDijEtpqzDGTwqEtm2HwyE+FTDQBIxvdviSo5H9OybcgB3lX69SEgr8JkUjD2EP3qALjd/qvQ6mxyFKIBT7L/JSzBsj/KKjkfg2xcagj0be1Anl0fS9MTZliI1l8YYiBOwBAj4B0qhiUslPNEhWlGyOCUbcFMfkhPGmTopSa4FqEeblF4xGQtkU88i++ISjiqhM6nDTQiOM0eQs27179+WXX37xxRevrKyMx2O9JCetBDQCZpuCwabY1Pi4K8vQxe1G+QtGoxLKzbcsi3h4WWZU9EUu5dLSEuWBAwew56KLLrrkkksIV1111WWXXYZS6+vrqCMnFSZJS6XXF1Up/q3i+ZKjkbU4Jmy1cFvpi/PDW6Wc/fv3X3HFFdizZ88evJGfUGffvn27du26+uqr9+7dK0vR8HB49y82zSFBfsnR6AuxH9NFvuSSyy6//Mr9+1dyjsvL27dv37mwsBRC1aWwtj7atXsvrKysTdpEOdukaS/y4QHnONVtLKf1I/6Ledp8NOXU7tj/lVg36edrsSmKqXm6GyqhaI5XyeExYatxNw2eciv7rfR2a1OkkKE0hSrOUdU9zMCGlGOsGsLVu/ac9/kLsGR9OA6xrpt+MVBWdS/UTa7qScp7D6xcdPGlF1x8yYGVtcHCko45VE1vAHoxTimEUOUY/D2knFUPjSfOPiHpEOPWZcxVlStlHeoq1MbgrYC8AYadeZl5DLk7iJlFNStvKY55BexRfc1HZ7cZh5TSlRlZB4MBpdwjA1155ZX79h1QnSGGoKtlnwopxLpqqrqJ+JHCuO1WDqxeuevqiy69zLuAECpn39rakGdDuTlV9XSbQwjJvw2lajX7xNln1niw0BFio6g3lhjBQinaNgs8TZJxOsobAPO5Ab1u6TLlglWwB9O17zr7EGcfV2k7tra25rpz2ez6PJlMMEAj+8NR9ErQ6grlkoR5ruEY2e/3l5eXOeSkvAtgM4fN24DozNqIYjbp2k0R6wpKEiXMIQ+VjoeV06GcjXNsNNC2sfrfR7Yrm+JYZ7ipk5kyoo7dRSNkqmafoj9w4AACuUqvrq5SowIYt7QSYKOsOw2uYBto4vPSSy9FREzCHq2UhpMvyGDbgFCAPVr5mYOeUln3qima5pAS8bvcTjkR0/Q7UYdYIZYeNwQbg7kh/b/gfeIWnxMdWNkwg9t+LFFKJHhzwQUX4JDnL9vf6/XQwgY7m+bx6LJRVgUaDgloV+BQ82R33nnnnX/++cjU6/VoGCBHFVLM10VwT5teVtyDptccN52Ya6gCy+nphytsDitz6HLuUm67btKlCfryP4eoDkPlqC3IDuKgOjU5+Gcqnph/05lv9u/EjHaTerXfdheHCKPRCHW8B5JCnGhmjECisTFoxIA8h9a5jH+llRnmQelCz4zSWwDs5JO+riNOTLd51l+lQK2J3FRyyhxViFUOPGQ86dpDyl5d9epG6WrG69Q45BnnOEO+a8updH3/qusz+JJvz1XYDNJBDLWm0XCyb++B3bv27t2z/8D+VewBW5pzbtvWLtZ17cYdox0Ph3+YUcY4bSVDjFEXyh07dpx11lknn3wyAslMchKH7KYpx/AhVflazJUhdzm1qZvkbqLsxdkDWHVoyaxg2jHmembQ1FEVquDynUoZ85RVW5Vh9rmFRrNluEGFLXeQuQnt2rXLm2gJI6WEAfRdN33kkatQinI4HBohRhzwd4oYD8qYwYBKR8a64Nzi4uJpp522c6d3Swv0lUfynN3DxsPRlDpheg+uZmW8ppR4pq8gupTbNrcOqEk7nrSj0crefSt7967tObQcH1gdra62q+vtcBjHbey6pst1DnVOgDR1mrKH2wpfQyhEKaVoD8FW+hC3+Gzsz0RVCYRNkbf4bGp8BOUWbvJWXYR0TLBVXNlRMBZZSSYUPwTVruuUZLu7urrqHg0E3Z1ulFrZE2jIoIofuhAolcUzQVUvJbdAPuWUU04//XQlD/oiGWPdgYGB+r1eU8WauzTlymS0PvJKYG1l/969/u3fu3ff3t17d+/es/vq3buu3rvr6uHq6ujAgdGBlVIO9+8f7j8w3L//wK7d+6++ev/Vu/Z7gX6KFGyjAAAQAElEQVTlVXuuuGLPFVfCaGWVw/FwrZuMQmrdtKSoflOH1PVqD4Mpd5OmqmBKnRgFAlPZn1tgk7IXzDHaVIjXCPS20/oUjZKZ3fUk5Sa0f/9+tyJ5gmZuybiAcRGUZH7Y6N7r9TCGUseSqDzVyz3ebdMXS2abYt8+dNm/cmDf6oEDK9NyZW31wNrK6nC0NlofTsbDbtLm1EonXkY1sZJaemmaY0rZz/EQTd2m2LXVpMuTcRqPDuzZvX/P7gN7d2MkrO7dt7Zv/+qBfXJSL1S9qu43vQa5MjpJe23I5hGOG41MflNMB7k5/Mt5uh4IBOJVTSkpbbm9Hw6HSilBklhdXb3iiiscZI4z7GGsS4zT2Wv1h2ZTaGIJ3KaU2NDo4hFs27ZtbkLOMkPQM9gKo7X14drqaH1tPFyfjIbteNRNxpDaCYTUQsydXbfXgDR1yNOjMKdSluqMZJ61psrQtZDbSYDc8ZDacTtcH6+tYur+fXv279lzYO/eA/v3joZrmviPOfEQ64P8OfhH6DcMFqLghnX/4ulVzT7mYv8wBuw0Gey03SUgEPZ4FlNq1YMezxjoWGBGc2GjrDvjkmwkIdBdEjr11FMRyH1IL/bMCshFQ5jDM3yeEmVqEnNgwInzpVfXBap1rCotOTCKfpHJU67UIc7YM5Vdd8hFM01XIRdZWYW80NQDD3ExVLELeSJR4VaajA94gti3d/8+ufDA6oGVyfraNJJw8FMd/HvUf2I8eBzGeFA46q43yjBu8blRTjd0tgFGsPQpJWoycsBsv6cEWF8fXXbZFX5hXVlZa5p+Nb0eNNERkWPX5YJZV72n4GH6Z/aPzD/PvCEoWQbCIUnIQYZDrLQCAYShCwEIc6hObaZMmmadanr5TRIDOGigjqGOGUpTiOaSpgknHlp2oetiUmotyUoZqzAZj9rxOLWtWdU5uw/1m6rfq5s6Mm9HQwkKmfbt3UMIIpkOEY6ZRiGEMqsQpkL47/IxKZsHBOzp9XpK+900fY9g7tEOMsJMgz2RYOrsgQA6AmGOjVVMxIDx7L9Qk35KEur3+7oX6MWnQfWiUQWyciNoroWElA82YieEND2IqYpNFWKowtQkTs9sLAkxhpmcMD8l5axDKjYhBKmsrkITsgMRprYJU7teVatmPVoPgOPJcJQm7dT1tKdBwvH5xC0+x8f7TeIlzz7mYS8N2Latt88uQE4xP3Lt379fkyyCEDaMzAYI7CmVVVWpUh6OlBIbGchVWhJyDSpMNYomvUAvspKfWSyHFprqWM2hC0gTUGFAwJDrIJSP/Q/BSwI7rsSkUoYqFrnoZ2Ua9FyiK7fopgpVSDm1qCM5pW4i9zgNmzrW1axfzKGKB0cof24p7QeUdbB7XdfhkPPLbxGYJG0gEKXrkY3HADYFpYu+qiklVbKyYC5PJhOHlyTkdaLuqrz16tq2NyE0VaxSypPWhlUepuraxcS5Al3oeHbTsadTzPzSzJFmn7quq2s+M5ODxZQxxNl+F7mUVVP7lBIvdMWJGOrhuBWbQBx4OblRxaoKdVWZSFPV/V5v0PR8H9BH/KFtw+xTzcpNinmUmwobOxSDjZqNsvg2xUabm1LO2QpYFOd+dKFpp++ZjV8RYqx7vUFd9yaTbt++A1deefUll1xiy0Nd2dQUQ7T0/R5hkjolPY3SATCvmmysfLH5DDHmghDSueeei0BNU7ftpOvanFPOOaWuX+Wmanup7ccwiPVC1VQhIkZXpa7OXdOlXgp1qGM1CFXPtSflhFPlteN0kFDGMA900wR51lrKanpMSUfTQAKSz0A5l730niOlHKsmV/0w+6+gclUnrrJPV00FJB+33TilFqvqug5VPQshVOXPl2BpIarZh2CdiIS2bffu3eu3VaeYe8zi0tLhK8MM2GvSEdK1H/zIWusaTbOvNdkphkOMN0WOtg6mjehXp6pKLruhDrGK08+0AQ2DvWaa7WvRKDUrbzyKn1KKforgS1O4UcrpIHFaTP+JcxrRBvJcazRtvwn/CfqYcLxCK9vfdZ2tF0C94ePAcpUG1yB8YoNJWFJQAtClgLJo5oJqadLXO0kyAvlNw4VaSlNlMDcu1TbkcV0N62ZUV22sCkXqFHpdWOgi9FoJocoxtFUY1hlCNd9N/o4zSlQ3wOkXjEY3INbj0qWs1Hw7+cQnG79nz57du3fv2bPH4xjl9PiP0TWBJdAcAr2KnkPATmAjA9G7SJ100kluQp7nKYtPwuFoYzM2UFVNZlxxMLGpU2xy3aRqiiyxxTRrRTuUMhwwAwIQbjBKd+Ucc1c0c/nIwpccjeyxFcESsEzyjRv07t27HWQ2m3IwGLDBBmbYoKxy2BTOGHqnD5CD+5LTKUbp58wzz3QT4keGMwS3xlItIBfk6UvCEHLdTZk0TTltnboqTH/LMHCuquxaM0WYHnQxx2v3iwcmBRvlojmm8pDuqlA8EKDIRyivDesIRjfHJpPfFI4q0ymZwwavrKzgkF/HKDWBnS4Hne5kJWg9BDwUPRsg64UuZ511lrOMLMOBJpb0h3SfV+vk2GpCclQ513JbeXPsF9E8rjI+TdU514FNRNlGLpr3DMGg4Th9uCqY+1PdVJ4rNwrVxspNKYvymHC8YrOpttZvZPv27UMgF2pJyH6X6wsBk9jMq/MgSwD6FrDRVGSkkbckIb/M4xDSuBsBG7lNlVvGPLBXQqlWXex11aCtms6VJ+WYZaNRk2BY5XF0oY45xGp6uk1vS7MfVhGOgy8ufMFo9IVaBluOKM4aHPLTGCHG6GUgMhGWlpZsvF330sjth3x4nKgA9Eog8KljuQxJb/x7z6Qvh1ypEpgdDoxAoLrLPS8nU26maaiNoQ2xTX6sCJ7OcgiOtuCqhEMlG230tlE+3P+N1By98y1pxMVWEFxZPga+cECgPBroWHA0xhttjLIpNtpslEtIZSyEADKlJOSttFMMb2y218pI4HSTMxjYdZYGUmWMAeTiloalVlWCyxNjrdKPg6zchFBTL36YAUF1hlhk9qrkeWvT9OoY83i0XMd6uH5SUy10k0HXNe3YKyZNglwbDVfWVvFSd31BDHNweARsNNMdGM+VReBwjqI5vNSroDQdlGMs1S1pVJpvvqV9Eny0QzlbOxtv13HIKSbTWDVKNojCrGmmP5MRCvQqgpKZkr2SzJKMQ3YXdRBIEtKElOUUIx89pJoD6yvDyTC2XTMcnru8vHb+hSeNJjsn3SlVbyHGyfpoPJksLC8Nti2NUrs2XD965xstN85oo1xsDtcU/dGXN3saWYJNYbPLKpRWjLHTnucdOkiAEIiliZ6ZqlIVCEA4iBzqWIEfIlLbKf3avThYOGnHTtixbfug16efjMbKKh78dvJwNHCDbnthYcfStqWmGa598k1v/X9/+vyP/etr8/mXLB5YP7Xyy21wjfPgNq7Cam7ToMrxaBxfj02cfa7H6Fiab/Y02mqymIEiyFTXNcEdyIO9LbGAmiiV5MO7U8JcL12pMuaETHCVPuOMM7wQIqMmz/SyFJ96GXFTaDocOaZ6oRmO18J4uC3ni9//vsvf/4E3/t0/vuL5L/jQm9862rN3cWEB1capG3WjcW6rfu8G08gsDgmABoqSAEW+AeVxo5EgNsUNiOm4dLGpZTt5c9w4y+y3jbff4sQJrZpoVAnKAjIUWUlmjCgsXaQcZGjkuUx3pyTP7lUMWAIl+2NCzH6kWjm53+w777zLPvShUyeTeNWVF3zg/e97+9t2XXFFXcdqUMd+Azl3qR0fk3PGolIWbJSLRrlRuVHWdPQ4bjQ6+iFvMksbbyxHWMkZdh23aOw6GTPIbA5ZO1XQVFAMdPQs5nkejZqmcbsCflx7gQ1vULocfRlDbmLYXvuNP7z7da+/4hOfXFgdnrO8beegf7tbn7N95za/8I/aSZeSX9cHsa5a59vRuz9oaTpQKgQo8rw8XDNvOkrhZk8jS7ApbKr9tv32Wx6yHGQbD3LGvAtZk3KuUYVSJeglCSGQJMQh/kk/qDnvgkNzY0pdjh5V9jYo1+vj89/xzvM/+pGzt+84ZXkxTYa9uvrab3jQyeecvp5bN2sxV21aTtVScEIfvfstLecBb2lxjA03exptNV/7bdftsfuQowcbvFG0/ewpNYHVtPE2SUlfQFkE5VSOafuOZb+wLm9bxMg9e3dx2PQq51qIiefxZPp/g0ZjCH7KDdiFJsXEYAqOQqAJwYvE2KTYJA+QcVyHjvVwuLNtL3jPu5u9e6rJyr6V3fty9xXf+i1LZ507Cr3RJC/0Fxd7TfS1mHg3GfQIN+gT46FdY7xWE+O18lbuPVeWptlciniwrMz8oDj7U6qlnCkOLTTNoW2jrHo44nU/trDguupra4d7KJr5QIcIpfXwEmnG47HnMjutSxnUTttQl4yum7TtWJnS9D/t0B2Z2DBgPBpO2klaXFh2lT73Vrdq+vX+lX0HVvf7aW1hadAbNFXj/eBEte5VZDflzmNU6HjgKvj9K6auSsaKOWGSdR+2baj6vbaOK93CpGmq3kqdVqqJE23Xxz954GMfWTqwqxfWJ8vh0sX6nt/7PfuXTtsz6g/CjqU0CMOJsy/0ovfasarclwqqDR8rGIwXgh9350ghuJLPEfw6F6eaFIQ1haaNsio/wBKmvFGZIcSDPIsxlmENF/LUhHDDsxF3+peS8EWI6Rd4gi4tZhQIUsBzbKyiEXs5TOm646Xitm3b6qpHoynlqROEyD7BXSUVWcmJcqqe/jxr36ZLijdTfUizclo0vQE/OcWF3kIvVO142KZ20Itx/8qFH/zg7s9/Nq2vTPw4u2PbvR/y4HzqaWvNoI1+JK7rHHm0hzlUaSpOvW36z7w21R9ZeUy9sjhm7g4K11RFOFMfY7Fx7I3yMbo5seaTyUQqwgPDzIMkbArfsDxLUwSXITRaWFig0b1rc+oCBkgzQNhYpbkWRpqhTqHOM2lWYECvqVrZr+pyv2rrth2P++N2Zxf2nP+5z374A2trK9XCYD1WC6ed8TVf/5Acav3ylIVtjl2K02+9YEI4hv0yTU5uGhxDWCUgwUGRb8rSoJtiqxgYt22LRrLL3IZyK/R6PWaFQ9M8VNc6Qpp9NM07kg/BbIOv1cUQKm/OsyOk8q1NsxZucujaKq1X7TBNqjrtSHlx/4FPvv0tey/8/I4d2+vt20aDpXPvdLdzbnfn9XGa+WxzhUNtCl0XOl5nnq6nEOf1WMyaN5ptlGeNx1wcM402jjAffi5sbL1hMleb4li9cZJSwgMdkUMV5gIl0BSQS5PjzHtFeUgmGw6HPMy2MxSzecl+jmJQqmS8IVc5VMnfa5FbN6eQB9V6Hg2r8baF3kltN7ng4gvf8864src36O/DlpNOv+P9v67efnKu+1M/ccqhXHWuWdNqCDFvuV9iC9d8yHBNbcu/bKA0E6DIN6DcMqzr9VVGLeX1Gn9BDJAARIgi0w3OmVwimQulqkS4hnT/nAAAEABJREFUuq791I9JqjKZvjT6Hm5cNMUnY9goO+PqXA41XKqmdxtPbTlxlXtONLfvdqGp4tW7L3vf+5vdu7dLUePR7q49/c53O/su91xtOWj4DCHl0Hahc4VP0QnnbIth63NNVDDreLA4pHpQe90/G202yte1up7aDaTRxvE2ytcz2k3YbF/xQFnCI0MZnxIOkfFGEkIjZh7x9Gqa6V4S4BBj1bkH8kbYb9UqB4gbrkc41Oauy21uUlXnNFzZ97nPfeZt7zgltNvrehzS0pnn3uNB39juOGU1121wuQp5SiB3o8QhGHGDP4rrwTzs67E7Hs03hEY3ZXw3eI7YALqXaO1BqRIoCzbKNDiESfjkRmXX3ZakqNJdK+ONoJmDfi5vEK6ztnWIqR233bCKqSfHHNh74IILLv3oh+PaWtuOu8HgtDvc4c5f9TUrsdc1/eii5rkvpkJKPmXSHP09IZjP8QZ7rw5xUapKS7MpbAZ9GY9QwL5oTlxpiGOC84i98FBBiRY0whM/WUnfzD5a6f3KwUAe0jQ3oEkpTLdwuofWqo6xDtNjBUW2Qpja8hh0zM6hML0uG6Tzbnqyvrbcr/PqyoFLLv7EO952653b65DrwcLeNt/vG79lsrhtf5tif6FLKccU48yLIh2UyvMixVaIMQoeCMWGsBGawLwoi8EhpUDnYDPHIWaHVK3FIZr/VtWyImVK5EMEVUorZWXlHqUqZQEZ1cgEZcFGuWg2lra7nDtTIWeLG2d1pVFi7rYPFqrVtTP7/U+9+7+6PVdPVldSXR/I6fb3vs/yOecO634YLI67NEnlPuQ4q0JuYmqq5JqFzzSwcczjIwuvOCLMUTSmDEXeqjTTrZr+G+oPWQ5VME/fzn6/X2iU5B+qWS7RCrPa0RfSSEAeTAq5irMnf064rXJYTN1gfTi87NLPvfs9k/27mzoP67rdccrdv+7rl844Z7VLoWnaNAme0QQQcIiHusa1VKOPR7ajj+N6LdFlo02pKgtKk8iLcOTyvzONLEeZvLWYo2hKSZlSYiYVOd8oVSkJlMpDUJoOUR5eTXn6X1NjkiZdAIGkmOn5NRwPVtY/+qa3xT17q2402La0r6pOv8vdbn2PL5/0F0ZdaFNX11VdxxyzI6zKftXv1akJXkE6IGOan5ic33iYJsz9kAvmmiKYQhG2Kv8702irOc8XhQAWDoeUONR5lnJ0xOldJM4+cycsN5XnyiIUs64KXfR7pX/SybRFqotdtz3U65dc8dl3vHNnDou9ei1O1heWb3u/r+6dduaBLoSm1/n9tUopT7qoHkPGoWk2ktVSDG2cHnZTdyf+n9nPB9koz5UbhWpj5UTIIjgmnIgY+LS7BeQCUdGkWTZCIwLQ0DMgwEaZEiiBcATYb6koBUWIOaAkoFHuUjMcX/ChD3dX7R1M2l4T9g/Xdt7udmfd7V5+QZvUTd30/GhWha6brOcQpomnk5d6VVdXOXqXPU1JYtoMR4hn0yY+5noyzKsbBXrYqNlUPuE02nTUm1h5yMarghiUYJkKjYqsSkApIGT7eZAJyHB9mO48x46gKUhVnr5A4kee61f1RZ/53Hkf+thJsamGo+wnkaXBPb7mawdnnrmaYxwsTiaTWgIKk8q2oM3sXlVN79fIVIXpiZb4PF4w042uSlWoUPQ0Bb4DRbNVWYXpGoVrPqrXiP8d/1ogOHxmFmuuJzNoU4dGNi2Faga6kDNFjs6rOXKe3lhykHXCbNfZoQ4OVAyze3Gvy03I9XAyXOzn8z787v0XfW4p+m2tG6Zm4fRz73i/rx4vLI5SRuX1tVV8iaF2V4u58qYgcBTbVM3Osux8PM4bVCYbbvSncpELOVgft4LUhapq6rqXLFeoCKGKFG3qxu1ksLhAPmTgnLMYlPSbQm7fFNNF9s07HKHKm8HdciO6FA6iO/ix68IA8UAVYu5SARlipgpV5Teqrmn6IVRQVU3bdXXTzAflVsC2jGmO9SQHSJ6dco6RelLFSS+2dRpBlSdV6ngOKYZUZ7xp86BuBrkKbRXrpdxsy3kxh/6Ok5c+f94HL//kf55c7a3aPcN2Mlk49Vb3emB30hkrVRObul1fX+z3uBq3uU1N7KYpKUUJan3cjNq6a7KrUy9Nn9ZiqGoQ1Qw5x3Bw8asQqxBiVtYxQNjik6/5aL9GzOR43Q9NgXXbiGJl1HlrwKGcQ6+pfdbXRpx6n6tZVamzd7u+K97tAs0XBCVuZRmdAGThgVCVNEBZMJfNqGiutyyWKU4NUwjz7ZnWpR3LNJWqLkylHOwY/kgSNkBp+0Kvjm078Soc59i6MssmyzH09x34zDveujBaieMDuUq9k3cu3fYOd/rab3QramPNMuQOE6cCt1lWqmIOOUxSbLvKS0n3oiqm6e8zaWZ0HIv5Qt1gn77606916V/VwaOFb/cVV1zhyw0r+w8c2Lff4tokNl6uKDcixumSxzgtN+pvsMzRpqhiLHoCXCuLrCqKg2Na/ZByjEymGsEXBNsjz5XKlAa4YPsPsZlW5/9iTv3QQp07yhSrNvTGUwxG1eI4Dsaxl2L0UBZCCrGNYWzYSZqMqlGu29it99rVfljb3g6bz16w910fqvat1HVvLVQr/f5J97jr9jvfcXYP4vs6EKN6KQkF82qMsWhiPCiU6jGVMd7wvocPVFE1zTQ5TSYZb+ShGOOHPvQhiQdWV1fX19dpAL2U7OcoVSXMlSdOMAoU/4QZrO0UIp/+ueYfGxplwTXqg6SZKwmlibApqpCr3E7hjMkpY0rGpGYSmzb2J1W/dSYGNAo5JkzK+Jtn9xjHXpyEvD7ojRbjerPv6qvf9Z6Td6/mfWvLy9vXYt2ecurZX3HfXVUayzuzIEoAMzGTCcoCMhT5WMvZKm1S8FO0BNgoqx4rfI99KUOQT3MrVu76/f7u3bs/9alPfP7zn7vyyivRKCRH/dQiuziEY/vEHI4JNuNYwDaHPD0OxFdQ4kP6DUyqco5mp0lZUGQl0CgLyFBkZZ1THVorQKbPseqQIDeTqm4DSqlWObJwNUg5ptR1TVU3Df14ElcXBm2v23/gwk9d+d73njZqd4aem9hqr3+7B3z1qXe720rday091zPwP/t7SHGdqg26Tj2EwzXhWD4bu2+Uj8XHNM+HifM3hsGgxwvS9HrT/+zGfchx0ev1sMp+2JW6rhnMvRdZWTDXnzjBKkPxTygI0zQw1ZWqUAs8PIuZctoWfFWIU5SqUqWURSDDXCYUpBBzcmGduvB9mLIq5yak6c06dOipV8c0qoQcqpzcYGKT6yqk1rWoGg33XHrJxz+0euWl9Wi0fXFp78p6OOW0O33N10yaQar6+ZqzhQ+uDgElzJVzeb7mBK2lJNww3MjuBq2CacREAlECYd++Pe14AoNef9vSsiUJuatibiej8o0vJU0RjlAGl4Zjga3aFPJB0RNgLsdpCuhC1+Z20o2nGE+Go/H6ZDIpNJqvkalhmLLANAlKIBSQr4vYuuOEupveeUOTuyZPFvJwEbrhYjfq5VGdW4xJMXQxTmJdN0vduA4uUKFJvbA62b/3sgsv+OSHQj1JAxfmatz0b/Xl9104+9zROIVJjhL9dYdUE8y8JBQUJXk+o7lAeay4MX0PH6vKOTQuR0FO6qyy3MPoc5/73B/90R/97d/+7bve9a6rrrpqNBpVVaVp07EpQa8TCotYUEY5KEche2BHmK6dfcbjMRYJeKrqOmbFfquSAWzVmkI1CQ2kLM+EXmoX03C5Xd3eHtjR7lvuDix1q4NuDb2s49REGuotDtvQjlIv9nsxdGur61ddsefSi2KVejuWr1pfa04+/Q4PuP9q3SwsLPdyrPJ08I0xbJSnbbN/mypnLTe82LhrG+Ub4HF6N7IVeiLKwkI/xuzR7JHf94hv//ZvP/vss88/77Onn3ry0mDB3sSUwXzKDukC+k5mH/pNMU12YZbyrlvmlAIKX4O5WT39eqYqTBFzF1JbQFOqqR234+FktD4ero3W1tfX1obrU0zGI8my6yZCiikjVQjB6qgKWDnb5kCgzHlqQAghaCWYviZ6MoHeIT7JoW0Ga11VD5ZyagdpdHIcr57/sfPf86b+vou2r16xc7J/exoO2mHdtnUOddNbbdu4sBRC02tjvT6pD6y963Wv31ZV4268XsfVxcXT7373M+54l/1tt76+3gQDHuQ6qcDQBKVICjbK4ixKJf31gtmmKB01HeKQZg42c7kINNeB7ZvVK2Wyo2G64vgwHo+379hx+9vf/ru/+7uf9KQnPe1pT9uxY8dwOJSKqrpmyQBY2icbQGPOQN4UDDaC5Rwb9fO+xbOywChFKIOWkoZ+hnGY7sT0G13cqoWZajqxmUBPM0eeXUYOUx70MDcjsIEWN5a2GzF24+VqsnrZeZd//L27Pv7uD7/25Zd+8O3Vrgu3pTXcWmiH1XBtAmkySmMPvPV4cvI4fPKN79je5apt3TL3rA/rM8+61X2/YjJYbhaXY6/2HGggMJByU2xs2ihvalyUtrwIN1lZWb9YT4erZgsv0PFodPnll6+t7Pcm7aorrhyu+Ra5BYXR+upYGphM363ZQhuPB+xBf+WmkBgKpq+nupTbrqBUlaWaJm1B1443RTsZQWlK3eQaTNNVzF1Bzglc43L2FZ8qBQaYA1Mhm66/1yLPPtfWZ8ybV50540nr0B8O13ohefwaXnHh6NLPxV0XNFdfeNkH3vaBf3/5+e94Xbrq4jMG8YxBNWhX67je1G1qV3vtKF542WXv/MCOlJdi1QvN+jjvuN0dz77Xl691sQvT//56GMYpBiHMRySUqrKABjbKqhtRSFPKjfoTIW81SjVpJ03dGBIzlL5Go9Hove99LyYR3vCGN5hAVVUS0tr0+Fif8i5MU1cI05LfI0P3gjDboSIrN1bT7NPNPkV/SFmqehWoFsTZHiDNzEGakjJnsp1R5tmH5ezvwaJUS0lFAMIc1612HtRyN6q60YJDa89V+y+/YHteP7VqF4d7F1Z3t1dccPH73/nB//h/n3nb68YXfebMqj05DM/aFnrDvUuj1Uvf//5tKwd6k0ldhVGXF08/85x73CvsOHV9HCdtnoQWBG3EghJDkeflIcqcr/0mxNmHpb+lLMIhsupxRBmilBhQPFe9pkfqchpNxl3Xyb2LS4NJO9qxY8fS9u2nn366I3xl/97cTXpVvbCwIGnVIRdUHoVTF2comsNLeSwGX7kpNsqUh1RpQDAlxI0lJVhQZdEXgZxSyh20OXc5dJiUNnzy7MM4OD9mskK1lEWYy6qgCgSIOS31chit7OjHxYgzn9t10QX9dtwfr9VrB06uurP7cWHt6qs/9r5PveXVn37Lqy9+5+vT+R/dtvviUyf70mUXXPnRD5wUUxyvTXK7N3Rn3ePut77Hl+91+663VbkX66qN13LCcBshhoKiLLJStZSETWFN5vqN8lx5wwSuoPSdC6WqnJ5kKU8XfmkdOPYAABAASURBVGlxSfb22lqUS7OP5tvc5jae1Kqq0uRe4q7tLkwPzI4GLI0KhCOj2PApmkNK1TlKqyoBacIsetXcUaSU8SnlDZ/poBseqje0TMVp62FpknLalnPMXS9M4nj/8iCE4cquyy6arB6o08Rv1zv7VW+0lvdfvW2yfu5iPjWt7v/Mhz7+H6/83H/8y/lv+rfu/E9e+P53DK+6OExW6zwex25tuX/63e+2eOrpq6tdv7fc5EbkoWuNBWU4QoFqEZRkIBQUuZRFU9atyKU8XFP0x7fcOIozSki5rqf3Iw3uknKS48yderi6GmKC5eVlTS5J9IeEQg+UUy+b/dMEWkpJOAT0UJxMy056SzFtgsq+zvSh64BNmpKmyxnyxk9KqVR5LsK8pNmIoj9EM6/WOVfj1V4axtHKVZdeuLZ//6DXx93Fvoe2Sa/LyzHviJPtk/Vto/07J3tOHe9b+/j7Ln/HGy942xsu//B7YljL9XrdpEmdtt3ty5bufNuVVlZcCKmObYiT3A+VfCSG+YiEeZUANEAoIB8O6waH64+7ZqtRqhgk1+kjWJc6LHFsLSwuYtLVV1+9sDg4cOAAhu3bty+ltHPnTrLIYoxKKWoO+rjFp0x+Xuo4lwmlOi8JW4H7Q5qm3W3K9PI8I1iINKmklqnYOUdprtMrT7NvCKXc2HIdTZ56ibPmVMU0qNJ4df8VF18wWtnXC91oba0XY6+u4vQ72GWXgcmwnowWUtoW0lkL/WZ170Uf/mC7b89yUy0uLLfVwmrsnXOvey/e6jae8xeWBtOnCl+JGAeDgahnAx0scp4ec+ZEUBYtuQghiuygePif6RJd02cqX2NxpD7X2Bz9342e570qq+W1S1PVVYiw0B+M19ZP2XnS5Zddsn/v3k984hNVFZeXl4bDdSm+7JGrTrQfyTum6duc5JY4TQe2booQqhSvxfQWFqNyujx6cHFdlCatEohzKdR1rqqCLrjsTDE9qGI0IA15kpKSDDnUKU//a6Fk3DDlk0WHMsOqqsJ0ioEmC4OcqySXpZCm8zHjOsY6hJjFHGKaIWvKMzlWvmRtSruuunK0eiCPpKX1nYtNFSfJUdWORjl3vUHTXw71UpcXQrW41o7rhbqq0/JgoVr3lqkepR1n3P5+d73Pg69embQL1ag3SfV6b5BSFYetGQSvyqLxDy6etaqzkGLdTWPI4lcjsnG1mH1j65CrnGIIIUZlJeAQqhCm1RhMsgpmK/hYhQqiGiTrKeAZyBDsRc5KiDFaLmVB0RRZOV3A2T/6AjXLWuTp2EtLCyqOs16vJyFJRbe73e1e9apXvfGNb7zkkovPOOMMGgO03dg0WB4Ow8xxeOtcMx14XjlMKK3zsgisiqAsoIEiK3HCgrY5pwTJp5v97YLVSWlaMp/DXtHPq0XYqCxbUvQhp7C6Mo7N0s4zzj31tnfcfu5t2u2n7A29q0YpLe5om8F4xsi67tV17FK7trKviV2UmXq157B+bxCqQbd00rl3vtekWe6qQVu5VnddHuc8JdDBYWZB5mu2Ez3ISq0pVDZbdQrMn/aK9Ftgupsbm/Qt1RwDFPkoSxt6lJbMKnPyB3Cl6fWQqaoqNLrPfe7zD//wD4961KP613zM5MCBAywL5sPMhaI/vNRxrpzLRVDOwYZcSsKmKK1KmBugzuEorcVMeTg2NaC8rmXV6+1sw/Z28czBbe526ld+w0n3/8Z0hy/fv/M2V+Udbe/UhYVTmtysHdi7vrKrqVZOOaketGu90brTLY2H46o9EMf9M0++1d3vlJpmmhhClVOUCBHcnzqpBvzJ002uwizHHJTDlBNVDjiOP0CuwuEcum68J7i21V6j0cGvRck07NAGpb75m7/5T//0T29961tPH/hXVlJK3hudeuqph8TJnkZZQD4Eh23MtL0oSzmtz/6VqvLIYHtkA62iLSAX+1KWapGVQDOH6hyU5Gwvq8E4D1byUtp21sJt7n7KPb7q9Pt8w2n3fXA4924Hls+4ou3tzc3CzpNPOv3Uul+t7NvdC2kh5V526ucDabzSxLPvcZeFs07vml6OvZCxIuIQ/1WakqIyzAw0MBPnxbSRstjTWmTlCcXGITbKBp1XCQUhHqR15axlAU60iSfTGGNVuRK95CUv0XTJJZfYDzdBrcvLy7t27WI5B1tyKQlABsIhsBZzTZGVh4ABjeGUh2NTPaVec2zspQmKZm6wUShN83JjU5E1pVjt8+I1Vam3MAqDfaP+/nBSdeZdTrv3g8950Lfv/MpvmNz+rlctn3Jxm3eNna7NoL9QpyjthLarFxamr//PPOXc+917ZaE/qXs5NDE3oau6HFOOMYfaoTsbZp6BCBTAQvqJQTaSwQJC1fHazQo3+mObNgXHRU+AuUxQ3Qoi8/2YtrLzZsgEurb95Cc/+dGPfvTNb37zH//xH1M66eQkTCr//zGm1tf9p2/BddXSdZ5reIZ59XChtCqvF/puZYM6oLWUBMZzHFKlL5pDylKdtXb9QZPrlFwMJ3kycSnur1Xb9vVOSmff/uT7PvD2D3nYOV/zkHjunXf3Tt4btk96p4xyf5jrfcO05l3Bth0n3/kug3PP2Zs84Fcx1VVXVU6uGFx9soXPOeSKPBvLsNdZrjirIZMGsstGv2mqUFb60JKH4wsDzB1uJc8NKlKMB/dboKqCdtF+3OMe99KXvvQRj3jEaaedtn37dkeejbnyyisZbEScfeYaNXIpCQUcFkE5lzcKZJi3kjei6IuGDORSEkRVSsIhoAeWQAACEOaYVwlAr5yjCmm5HwZhWE1We2ncr6J1GKawa5Iu7+ormuXJOXc4+2u/9b7f8yN3/1/f37v9V13U7ljbfuZKf/lAs7QnDwbn3PbWX36/q9rggT+1vaarm66pp8yJyaVIwokJhzJCpSlPjCuA2SNiUCfjkIRUxViF2ItVr57+bMXsC4VDdnYeRpVnlHcZohoMBtXsgzeLi4vf8i3fcve7312TF9ma/OjmtxFmh4N3OFy/lcYCaVICYSO20tAXFOMilxJ7CEogAIEZoYBcoFqEw8tDmko15jTav68ZDwe90GvSOI1Wx34Q65qlpbCwNKwWd497V44HBxbPWLz9l3/Zgx527+/8/vEZX7ay46z17WfuG+xYuNUdzrrLva9cbavB9px6sauarqpzba1SlboZUugEk5Flw7P3TMxIHPOUT8KoY6hj1aBTyOGm+ohz41DzahGmZZzFHYIrdsIkXzInF6Ioq17PQUZ2v/ajSFVVLt0rKytKWar4jbNPkZUHFz1GcowHyzj7HEGjF9hyZQFj1U2hiY0mtFaSaQ6BAecaZiI3L0rGSlUlA90JqvRKV0CzpiSX1iJYgSrl5VC5Mseu7fKka9o06FLthePQ83zdZeyK1eJKXNrbP3l49u3793zAPb/rsXd4yHeunHrrdObtzrr7/fZ7mdTfMf1xNtdVW3OIPIG3kCbVZFJ1uZJqDFgZOucsDIXwcp7KXZp03aRfVcuD/sBLhNwx18p4jjz7UG7E1OPsn8ZiWYS5TVEeXs4NCFqVc6gWFFfTMufpQZYdzNLqdN8Da+MOBoMDe/dKPy984Qtf/epXf/rTn969e7fLNQ65Hk17Fk9HUR698SGWh1TLULP11TIFuUClCMpDZNWC0n2jXDTKolSSt0DlHtzFpouVXy/kjxS7ELs6d02CpDmHqo299Xqw2izu6y0f2H7aqff+qgc96ge/9rsfefJt77SW+ykuLC5syzliiuxSySazc6uLwe8+3nJ1s0+ZgjDEk1MrFYXc5a6Vh/pN1VS659wlBkfElo32d8u2G90g00yP22noguw6X03j3e1ud7vTne7k14+///u/N0f0Sin5Zvd6vRs8Yhli3l11LhNUC8hQ5ENKMRwCsc01h8ilyhXwo4S5QN6IrfRtrNaawVq9MKoGXZRL6l4Kva7rdZMqTWIYh9zmMMlBCX5orVYG2/ZvO7W51e0Xzr3der2wNkoh1e1kYv87X9eYQkx1ClMyhZCmt9KUcptSO63FHCEkH7sBdQxNHXt11cOjkLpusjHsLx7ZNySMx61FRxGlx1vCgx70oCc84QlPf/rTf+iHfsjRdtlll9E74JRHCD3nrHVjqQpFQ4CNcqnSFMyrhIKi36qcrXUuZbHZKJsLZfGjJANhjnl1Lsyb5kKK1ahuhrWMUofQNKlq2thv3W+CbJFimuWnnGNb5SQ/TVkxWN49DleNu/0hjnLo9xeWFwcpdW1EPY96XTclT6FRFUI5oyJuQfSphJOdejk5AiP2DJq6qWMdsxGxCtvm4R2NwOXcbKM8Vx4XwUxCmmUa7mQdF4JyMfrQhz70ile84i53uYt3RR7W/CSiybnGbFOY/eF6SthUv6myGCsPgQhpShfC0UAX0OUIa1f8sCEoD0eqkh/n2zqlMN3luq37bV13VejqLteTUI+rPHa/ycnffjeSpcbjycRdYXmpv22bLU/tMLrfpNGk6UZNp5STZKOevJ+aKk2PghRTrvL0Z5Xs+zxJqcWjGIOn+4UFt4nGz2I5y1xdXRX+hWP6xNmndJmJscjHsaxS8o3p89jNPoPZ5zOf+Yy7UflZTXKyH1dccQUOnXurW7E8AnK+UQlJdyj+i6AsoCxCKYVEmJdFoIEiK3Upq6YkbwVdYNPWKMfkSTVFW4Xp1Dp0Ck3KVfJ7cGoy/oD+U6ScO5RIKYzG4/XRWtdOcjvOk1GXhqN6NKwnw7rrYhdz5ZGt6aYpJk+9TgfnoOtcqDvkq6rY69cL/abfb3ozFgWX65yq6bd+anwD/m1chI3yDXB1eJdKZGAOo9GId+gvLl588cUPe9jDHGreQzZNMx6PZaMdO3Z87rOfPdzFUWoMARuNVaFoCHCITDNHOrqP70Ix1JE30zFD5RyUG1HMNmo2yk1Ky+36jslqP63HMG7rdlRXw1hN4iDlQd0Nmm7Qa/sh99ycRnUcV9XiwmChju1obTxaG9Rp+6DqN6k/CJN6st7rxnWSjaoc6lTVqalTHVKOMVRVjNMcMZWbnhfgCz7TRBSnDdGFaYqIo+GL8uMoDm3bxhhdfbwr8mA/GQ69ZvTGyEXbk7D7kLXev3//6sr6Oeecc8gs8nTyQcKlZ6bcCOu1sbqVPO84F1hulEuVBkWUBeQpcuv7TTOVUyJA6hS+5ge/vHEWR8w5zqLl7SghAzUp1NJATiFKNdOZJtrpJSiqVDJKkj5il72njink9f37az//D3oDN5pYrw3Hq6vr41E7NZ6Naq2AKCivIusQvQ3qVXWvjnUV+lVc7FVLC9VSv+5XOYYu5LaSvmZEM6vSUXkDEGO8Ab1COLiMpa/pTgX5OE7/ln9ViEH46BJCGo7XqyaGutq2c8fS8nKsqq/8yvtfdNHF23bunKSuqqqZWQ6+FNcgxQR5Wlqog6hmJlWuwuxTJk8kpDTd6ZSmZdFQboQG6BiEkFnEqKQpJQHIIYp71mQ3kxzyyByfAAAQAElEQVTUejhO2Xc74FCngknpYGd2dROBwGVd1+WbY0YpJdWuc5RomSJu+IRqeh2aVP2u6nNuetE65Dzd2jBJcdLmcZuNlqbb3YWqi02dQzfKWnI1zF4VLcRmuc5L2zvvK5t6zLobhm5YCWE8GQ2r4J1U2w7XHXfbF3qnbF/YsdhbjG0/j3sBJnVup2EFg1e5ml6yzfggcjCjgmvWMIZQFaSpUJlNFWJBjLG67ifHOAd+zFDNOk7HnDVNdyGHin8qHiK6VA035BAjxBirlFMVq16vZjSZuN9N98SyykyWWGcvjVZWVnbuPKmuawbMwtTz9G+K0zKXcq6d6qb/Yp5OMoRqWtnsH+cb1VtV6WFuWWRlQUodocuCnSOQcor0epnktMyKEOQLBVWM4Sg+OSIGuBOzr3w9IE6ZlEIAOSiX6XNmk4OaUXNStCm0uR6Hug293FVxEqs2yFpiazEndFUd+k2THAXuWXXd79ULTd2nrLJEVgenX1eFEneYfq75WpJjFI+/U8Q4leM1n6nqOP3jMoSp8zD7TGeap7zcENOsIYQKY4po5k3TONrqutbfW0e3pW3btjFQdT1aW1sjFOPjWBqXt3lJKCjKIh9S2om5hrwV2JSAS8nhXCiyKpCPAE6O0Fqa2ADZ+nY5d/JRzilkgeVrPt3EuZbrEJvojArUs9YUY+jVjQcbl6Fer1dV029djJG3ECSGOBOCLZyiVA4rYzxodljLMSti3NxVnH22clf1ml6aztekkmlgEt4QVldX5aHzzjtPVZvSPE8++eStHB2r3jrqsrFULZgrCYZWzjGvEgo0EUpJmEPAlByafik3CuQCTTcSZRROCJCCjBdzxIAqRXQ5uCvikcCwpJ7yJDl6u65Nbbe0sLi8tLBtYTBwtfbVTzl300lgJJ8wZc9BH2rXQvzXVkJQhXA8PvxA8UQA8uEl5RzTOakwsgTOLCmn67qzzz77wx/+8Mc//vF3vvOdt7/97RcWFhgsLi5edNFFjI8XjMjVvCRsiumiXvOPwTXiwb80G3FQO/tDz7/IgQAbBXIBfbEkbIrDW7fWVGmaQqZljtUMB13KMnp1adK20/tRzKHfqxcX+gi00CM2DcrlxOZghxAyXEOgFEKayWKeG2yUi5IGinwjy41+ilzKTd1OaSR0FlU1PeBwaGlp6c53vvOll1767Gc/++u//uvtiMyEYTS3ue1tN/VyA5QGLdCXcHhJeWT8/+R9B5wlRbX+OVXV4aaZ2RzISVnJCgJP9Ik8kSAmFBBEJCMZhCVvBiTnqOQgyCqg8FeyKIiSBQTJaRObJ97b3RX+X3XP3r3MBhbBJ+9n+82ZU6dO5a9PVXePCzoGFD6F0pRQMBBkYVwFUH+htEoYVxCoqhUDSiELFkg8VrmcPdbhVINY5AE7Yg+ml50xWWp1hlNbFKpapdzRVpWCQCAy2hmc5hBUHHooQDrqvywTOJQnLHQ8zcAByC3wh+r55X+xVwp7IX3ThfZPSebFFTJ7nfNrycqExgAceE9oMggCBB4oIM0ee+xxyCGHfPGLX4TxpZdeQhKRadbMmUtW8REtaA41DJBILgdgCVA4QCkA3kBplXBAzRj4khLGJpC7HBSVLMdhQBYe6DzywzTKAuRDjCOr2VklOI6CSjmuVRCJQiQ9h5xxFtucE8yS/Y2NgVjmHP3VOyagP7HEL4ylsBVKIQvLh5XLKbucLKGkKrJBHRyuAXzef+GFF6CsvPLKkAhFzz77LCzXX389Tk4ftlsf0R/LUKCoZ0ndz7jNF8phLWxxuUUXSmF0AJR/KRY1iD6QcVwk0Rly6JvhPA6xs0UQageJohBJnfoHfih4NUXsmP39bJ3GWrT21vlA0Grw+oBBDUh6j3/2p7WqVn059XnuF67OOfQ+jmNwZcGCBXPnzsXZCEYAB+2tttoKTxOzZs3CCUlrjRoRpbq7uxV+BQHmC5UgFANQACgAFHgCqAQoFDhDR1aBwq0p4QPAoQD0wg1hBkBZAEoTSA4AuoeBAPAJwxD1QEH9cIPEjQEL6oSOyjFYAEUAJAsjPKEDUOC5JJAFNO3QUSdaAVBDbocBDIIhY6PBklCIaike3FarlWJseCZLwK0AD8UObzD9SxGJcGM9AVEcXUKdAGgFQFkq4NkEHJalI+ujw48n37WarUBpVutphMlCGvyAROzp6OjAMDCtmAMUBrEwNdttt93aa68NI5784Y8sVgqPckZrvOYGl1B2qUBjTcCh0KE0gSagt0ok4Qa5JOAGtNrRmWWh8ERVTTQLwgK9kFCWj6KeAT4wol1IAFmoCrMEaf3RB+GHBCO+WEE2kAy6tLdVq+U4kMJ/SPOnHc8YFCSwh6w/UCHB/hTEzFD/d8C8uC1mr2M4QNE6FKDQly89jZgZ/IAfyoAfUqmFCxfibsZ7I1jw7hHzhY+1uLNhhwWEQ25ar2Pi4IzicEDxZQEOA4CCy3IeYEdBWAoJpQl0Azokmi4kFAD9h2wCPiiL5gAoTRT2QsIIZflAE00Unmii1YJKALwTkoJBIHIWDyzS6UhyJQ7bq3F7Jcb3DSVwSMJR2kkBnjkGgcgKvGMiEAjI68YZCR9gCK54w1SAsN1h7wMpoeRO/xKBIaDe1nE1k1CWA2GswR2C8AMn1AKuZGkKAl100UUPPvjgk08+iaxyuXzppZfedNNNMOJjLdywwcEHkQml4ICGoSwVcB4AIQQsS3WGEVmtKCyFLOzQCzQbHaAgCRTLDE80VwDFkYRsBSwALJBLBaoaYC8sKAI0swojkoFgaS2blEnHYVArl9qq5bZqBUGI0CeTOZy1yUqQjRm0IFh9FCDQCsUXUQnq+4DbHfhXcKh1FGiyOZBCb03CsiwIa/t7Xs+jCyrFJrXRRhttuummq6yyyl/zf0IUX2THjBmD77UPPfQQntrgiZ0OL7illFmaIpJBWVYDrXZUDsBSSChAoS9VwtgKOAOwFLJQmhRBEmhmtY4f9iUBT6CwQ/mwQLsoW5RCW4tgDF4L2RRRpxIH7dVSfxAiy1aTy8ji+wae18izinD6dnklWAIPf8RmKOS4qLhfFgT6eDmUt9tff6veb/qQv0SgAkf+GIe6AMQYcGKzzTY74qij9ttvPzzng0O77LLLBRdcMGXKlH333XeNNdZAxMJOB+cojovpW36j8Gl1QEEkIZeFIheyFXDGygFQgCILSiuauYURPoWyHAmfD8SA/sMfFtQJpQCShSIY25QOmCvluL1Wba+US1HgbJYmveCNEoRzEk7VDL6gjHP5PYzneu4PRUzIKnRadBUcQspvcn6hoH48QFtAURcUAHohoQDQASjLg/MXOknoPFQck7EMxhjQaPr06c89+2xnZ+eqa66JYxBiD9hz6KGHHnPMMauuumqpVELEStOUnMOOBlbBZ1ktoWZkFRJKE+gfmoMcgKZDoSAXCuSKoPCEBAp/KGi6APTCuFSJ3OWgqKGQhRsYUCQhYUGdxXAqpXJbrQIO5QdqxpO+M7rYvATnDPHk0c4hLBGKEC4fZ0AQAAkP1OZ/tfyAQ9yS/BepRbuQBYpWWvXCsqQU1p/v/J8cYUgoAFpgk7rvvvsmT558/vnnX3rhhaAITkLIev75588555w333wTEatWrYZRBAXOUshiKpesncjTtLAP8EGFsEMWaNVhaSYLpZCwDwDsDqdPJsI2ACC9CMVwFqWwUwA+5Z+JUIvz+qIfJNyijsJtAJpe/S4ubwjDyWGcw6d4W5yElbCDOmqD2iu1SklJPLhkmU7QGu5D0M5YB2icRo3BUQJ2zDYqc7iRCam8/mZHCAOj5mWZXDPxsSpouLU+JIHCAoUxt0WikPmeW6itUggMAKtgLSPSWtuo15G9/fbbH3300V/96lf/9MgjSZrOnjPnlltv3f+gA2/8xc3vzZgJ9iB0FZ4IRb19vSiLUoAfKuoR7PJbj6VAFuPdbA7yrBJYBgA67JCtgB3+QghERCGKsjBwU0cTSEMWgA5PEpKkcsJLkoqVxFZNbB2ZJK2rQABQ8KSjBONAIgVhjdFHJKADRH6VBTkWBJAgi/8RRpPfZEKxDDAiC6slZiFlIBmVMTlnDU48aaioo600YviQOEQb+OZRN2mKJpRCWZUZR0I5lpbwhAZLwDKADrsllUMgySSZ0Z0CXFwkBGyAwwtvhdliQguoGo2/H5bQW0yh9/HsZIInKiyAxIrBYjaKppkJF+NCMCR0RODCbYO5hQ0g5wi/mAU4AVdkF7Rob2+HHV/yN9lkE9jxMQSWW2+9deLEiThib5hfbZUqSlmLJ1U//ZipOPL/QhL8VxBoAoBzIQsFehPoD1AkoRRAEkohoRQAe4RQhd4q4YY4is3XGON7GMdCEmID5qhoDoSBD4Ckw3R43vgZ9A645wrkcwcHDBZSSqlU4ItYvzOBqIHgSinCK6FqJY5CEAuRCbuV9Txk1IZCHs7HQAHJLFFlDvL1+EyRJ5vSmwb8oCIPJsuLcxYVX2xp1Zaf2+r5wXrLQBY7v98oEG+Rh5fRWAPMOIDjM4LNW2+99eijj+64447QsZHh3SPeQAI4ccMHy4OdLoiioruYVVSyVBQOrVkDLEgWgA8UdAOAAkBpBVYRSchWwNKKIguWMAzRT7xNBUACjAJALhjjsLeQcWwRN0Eah4ZzGNxcjh1gmZzwIL/Y8CeDRy2HahEasOCokHG4YRcGslIq4TBUq5SjQIlmXbRCF8a4Qn4r5jSgtgHJFavjw3vlE4o5IXACpXHWgYQR76YRbP74xz9uvfXWI0aM6Ovrw5M/SFMul+fNm4eVwPKgizJY/H99xH2PsssB/AcAzoWlqWCRYEESgLJUwKcAutFEq6Wp4/ZADRgaHhQAvKRAFh4OYET9AEYKIAkgCxyCsQW48T3AGBjhAwk+Oasd+XiDbTEKVLnk/1SoFAV+kyPsJD5Cw3M5KKpajsPys1qLt+pFKViAQods1ZH818HTyE+i1mgD52XoQRCAQ/hehrdHmH2w51vf+la1Wp06dSpWDgsDByySybJGXx8opfILxZeF5mCgAHCDBKAAUFoBSxOFHclCgUT3mkBnoCsm7CxAU4FeIJRCkssa9a4F8xfOm9vb1Zkk/qgkA5TDTu8jTbNyH4Qctily5NlD5A8rloQz+LLh8qOItXh5qDPhbKCoXAqr5ahaDqMQjxiaTcZOK2acG1DnkmDmppF5sd40rrjC+VX45+pHqq2o55+XeQ88jRD/seejItAIlEAoeuqpp2bMmPH000/j60dXVxce8s8999zVV1/95ptvxlcRxCesA25lFIE/dCgfCDQHH8gCrXphWVIWPqgfWZBAU5FSIilbLvQEKcgC8ATdEUSRRLDEKBBK582egzFaHJWJ4IAaACIqxtIi/bQQCYmPEp5fcAGhPHwQClUpjvB6ulKOo0ApQTghsjWglxS+WtS8JFBFYYQCtOpI/hNADc1S0IFlJZv2f50i8PoH02rxCGoM5h2Tj5fVFwAAEABJREFULqXcfPPNa7Xa/ffff8UVVyAOIQK1tbWddNJJ2N3wkR9FihlHTMK0YWGMWfz/rFhqX4tBNmWhDPCEsRViaRf6BjNkgaK30KEMQDEWGKEAqBmjwO42d+7szoXz641e9BlG1AaJnvgRYVMiAfb4UxEOQg46SUYkMmQ1TslhILGL4RRU9UFIKSY22mnNZAXh+4ZjZ9mhshVF0fSKen+Q34DaBiQ/qPRHyhcIRahASAkEQYCJRrD52te+dtxxx+G19a677or7+JprrsFXETy17bPPPniIA6WklCATVgJltdZYDCgfCsUgIZtA8UJHbQD0QhYKdKBVRx9ggQSgAFCaQByCBeRAEYwRSVAKTeB5E2Gpt7uneGpDroQfUCw/3hLAaRGYsGNKn7KgCA7UqhyFeDQrYSdz1ppMZ/gWlLIzqAccwg7onZf7A8/l5n+IzCWrWtLyIar751wxxS6/4RDzUYMBHbRGgEH4eeKJJ3AqAlHwKQ2z/8Ybb8ydOxckA7023nhjEAvTXq5UIPFNDV0v/vYNCoCqIJuATxMwQocEoGDJIZsokshCDUsCdniiM003JAsdRvQNXIEEwBiMAiEWOhRIlIUnHHDEbqtWBLnO+QumvzttxvTpCxfOt1ajCGYDPMAnC4QfEEtJKXxgsWlSl8zVSnlQB26fahgpQujOEn/QFozKAYGLikZQVEADiiGgWgCdKZLLkvBpYqk+y8pFQwWWWqrIgkQuZAHoy0GzoUJpeqIsdBghgSJJzvlxMwuY/CCdw/EIk44lQfB/5ZVX8JyMQ9Lf/vY3sCuKIkQpuEEBsN+BeWmSsJSYRCDNUtRToL+BIvF+WWQVspmDZAFYoGBFCkjpl0TmFyxFViGRbAIdzl28c2EsfECaAugeFEgAzhgjhhBgR7IurTe6OjvnvDd75oxpOkvQASXwDoocEkkdZ3OTZpVyqRSHcaBC5bNAQUF4ieODE/xxLPLSCb8fkqD8tvSWT9gP5qTZo1a9MC5pKewrLoXWGvNLjPjtn/xBHTzwY2HwWQ3BH+wBq0CaW265BafsP//5z3PmzIE/WAlWoRQUKaTXV7xNQjluXkTvS8JesKFVoj9ItmbB0g/BcgkIpiaQK5iayVAFURBGSimJM7FO6309XQsXzJu/cP48qM7i+xchB6QBe2rVUq1cqZZwlo4CicO0Q7hCNwDCxeATfhFeM1l//hZQMCHe9P6ffv/3G4tUkVXIwvK/INEc8DE25KMRphTRyVkLuhhjgjCEBTr2teHDh4NYgwcPnjlz5plnnnnkkUf+4x//gAVLCB/0Azok9NZuterILVAYIQs0jUUSUggBCSALEoBlqUDrTRQOSKIPQJBfzfADBYiiCEGolF9k/KsdcKIURpW4VIrjKFTgCNjU19VZ7+1OGj1Gp4hIIBOey2KQLsArAsa7A0HgjSO8E/BdhE4IQo4wh8IRPnSwA5n8/einEy4ARgG5fBQ+rXL5/v9cblF/a1lYgMICBYAOuVQgazkQmHpkI+SgMHarMAzxVQSPY3jUB1J8xidCWMJXEDy+gVvwBNXgjPVDQbvo4Rk6jAAUAAoApRWtFuhLAnW2AuRoIqcHGI4OLkbBj4Ii5TJOaxUc7DAKAI8CAG6AIUOGFP8+E26JUcNHfGqdtdb99DrrfeYzG22w4SYbbfS5jTfedJNNPvfZjddfb8yn1l5rlZVGjx45fNSIYSOGDR0+dPDgjjaELICccVaTdc5YH2/YegIxFbxxVBBIOIZJeIeWYTPnzGqxtKrMPpd5sWzN/eg6s6+5qId5sV5YIJkXG5kX68hacfSPOQzDYmvBHgfqjBw5Ei8b8Snt7rvvxuxjCfGZ9pJLLkFAWnPNNcE8ay3IhGZ8QSIkoRdgXtwV5sV6M5eXdoE9hRm8Qf2tQOsAGmoC7AHAHshy2bMHGzEADgE4CRfA10Cgo6MDZALAJ6BUwhYFUUIc8kCcCqNSGA5qa6uUsJWRs9rZ1BnE2d5GvTsnEKhjQA7nrB/For2M+k9C7AjbmYAkHJJw6vRO7/thHjgPzWzOr2byX6HkLfR3oFVvtgVjU//nFGHzcIKnfZdvauAQVmuLLbbAAz+og+XEIQmrWCqVVl11VTzzr7baai6/fHvO/72Rdfaj9ANllwoQCwCrACgAlCbQMeiQ6NsAwAggtwmUbQJ7VKiCQAq89fH7FDs8kQFSkJCEfTUQIpQyDFQUBmEYOGfY+bH2d1Ig4niVnIAVI7eLOGTZkwnGTz78ALifWB9Lb8EfafDy0PmzdhiGuL9BEmwH+AT7ne98Z+zYseDNt7/97Q02XL+vrw8BIAxDnJmYWQj/oQDOKI4H/tbeILc1uVQdPgWauQOSqLmJps+SStMH9wOAzhSA3kRhaUqNSKp1Bpmb4EbW4f7RaWadLkB+C9M4SKFX1E8dgg609kG4/hST7dcoX56cZAXVFtmX+Rt1FlimR5GBOoFC//ASTQwo1Gpp1eHWHAx0P4r+dn0cdvn4LOEuyr3ypLCOQCWMXcggSTULhbl1zuEWB2+yNJGCN1h/vfXGfEYSW423bf1vWdAAK+Uls3UWylLhcKcvDej3AAhiD2Z/0iaCLMBES0WRi1EVQAEokNxyYZkB9ByAQrhwVgakYpH/iRJ0lo4QhpRgJZyUpJoQMEsmQf75niEJnkwwScLEeeC1NcJVxi4TNhE280MonufwZptQRji4WK9gPdDDAcCJAGjpslfJX4LQcA5mKUT+LkIoVMLLmtOl2dHhVljHxuLuIChAaxZhKgTTIjhmxwLA3ACMicn7gM4woT+CmYmpuNDXQlkB6bm4Am4tLjbXXS4/lGBe1EEi5sU6fUxX0aVCfmCVlpfXB3Y5xyDJgSx5bbyEzA0fhyiqXk5NzB/ospzSA7M8PxxuoxwDMxenvdvi1CdVY/44p+ajj5L5k9Wf5YyICXfBYhQbwwDj4qQjBvL7oSBOniyKY29f1I4PKAgRlrzijZ9cGjF/UpaK+X09YfZJXsblJ/Vf+eOWUTm608xp1ZtGKMuyI2sRwAzfgvCCwKFFdv8bw4YdRgC8AQhuAJHXvcsn5qd1qK36v72D/8udQXNN4KjaBIzYYpeEX01m2KEAUDzyWcOb9wKCcF7zQLKpv1/xIafJFSa/TYM0Oaw/w+U15LW+T3ziaITecX5BAXKVofy7gA6g6aYsFFg+sXhfD/HIQB/b7IFMxagLnhV6IT+JNCp61irfNzWtGf8m/ZPWnxWfBvQcWHF/7wn6AF5b5s8nl0YferTLHONHzfjk9GQFR9LaYRyPm6Va7U3jUhVsZrD7zRG/FqEwIoU6mzqSgHCOcgwoAmNzO16soACANGQTRecgW+HfuOBHfCSatlbY1PNa/UuLwtLsxlKVwgcSuZAAlCWxHAsGCzQdoAN4Y4mqmmjmQimMRScLKfMLWcsB6kRuUbZQUAhJNAQUFiQLBc4wAkiiicKuFF4sLZ7twg5PQFsL4GjjmPEGCICSGQMjPvE0ASNeDjnBYIm2DnZfhNg6vGdyJKQ2zjrOjCsqx9dVQoXkr8UN+9Ryf5g/tl12ue3885nMH66HzB/sz/zBPivSY86vwjNX+6t1+QV7/tsL6IAxBgksGPgEQClQ2FEDknDQWqdpiu9/+GremoUawDNrKIyjIMLXHWnJwQFv8L2dHD5IqDDwleAgjYpyafCqVPg3tSTYwII3kFLIQAVhjDCDz0MAwxLF5WpVxSV/BM/H8QE0QnebQM8+gUD3PlSvPqw/Ki+KtEoYPyxQfFkoqipyC72QsGCZoWP5C66ALtpZRAu8RmYlZRhgXeNKuVyrwtgEIkqRC4d6ktSTLDNWW0JEIaFYKkhYUg2js6BMbrHEsCTGpv6jhIAPPB0LFISRg1AT9ybpgu6e6bPee+2tt+YsWEh4n4/+oeJcLl1gGAMylrQMcPi3JNEroGgaClDoy5JwAIpcKECh/y9ItFUAbRUKJLgCQAGgFCiiCyIHjFJKfMrE1/FqtQpF5d+g4ICvVb35ha+cyEUWyqIIQhRyAfCPWQoFhD4mBRF08AZRBxI5MkBgKZWrbeVqJYhKCDxxuaJKESlVz5LZ8xe89tbbzzz/wl+eePyXv779+htuuvq66yEvufyyM88977d33a0zjYEAHxCN4PF/BZjuZldb9aZxgNLq06oPcCuShUOrLOwrLlEWaPq36jA65yCbQDII/I4DC6gAQhTRCMcRKEiCK2AMeIO9qQAohVgFZ9QM2oFqqAESvEFQIXw3ZAEpFLaoKIxL5UqNhFzY2f3q62889pfH7/7d72/95dTrbrjxlImTxk+YdPK4CSedMv7EceNPGj/hlAkTx02cdM111113802/uO22X915529/97v7//CHl19/w5EoIhF+oatLATMPsDIPtAxw+LcnmT9cD5k/2J95KT7MSzEuf/hgBtD0aepQgMIOpQCSBQkKQoAuURTBAupwfkEBRWCHhDOIBR0ofJDs6uqaNWvW2+++84+XX332mece/MNDv5p6+8+u+vn551340zPPOO3Un+62+/d/sMcP99r7Rwce8OMjjz5q3CkTzjrn7Isvvfye++6754EHH/zjw4898eTzL704bcb0Bd3d9Syb17lQG/+nINjyVBDV2joQwBC90DqwTBohD8j73C+Q/AQCnftQvfqw/qi8KNIqYfyn0SRKUQMIsVQg6gDYnuAGrgBQsI6lUgk96e7unjFjxquvvvrcc8/95S9/+dOf/nT77bffdtttN95445VXXnnBBRf89Kc/nTRp0vjx43/yk5+MPeGECZMnn3XuuZddeeV1N95469Spv7rjjlffeOPtadNmzZmzECxJU8scxHGlWpNBIFUAqcIQEtFLBGE/wkhIZIUchCBTV1+9q6eviKJCOIsjuWFrBBSrrP8P6uJYTyQEDnLO/60ABoAX4d6Hba57wV74n+LVFJKL4cgbnWXK/ftL5XpuwWtQlITPkoD9QwE1CMITRX8hTLFj/wBRSCOoFegQ7CTYoYR3gzt63V+2+aupcD6QordNIyoBnC+eNyTwFEzOS+u8EwRARb50TjqrcgQmC7WJjI61jrIMKKVZZG1kAB1pb491GmceNW3bGg1euHD+rOmvvvry408/ed9DD/zm/9110aWXnX3+uVNOPf2UieNPGTdh3KQJkyafOum0KRddfOlFl11yxZU/v+6mG26/4zcP/enhZ5597qV/vLKgq6u3r89YG4RhqVwuV/wfoIdRhNBCzFDiUglSKoVOa2e9nQhJ+CO8sRTgLrZL5EKmOsOLBSll0uiz1taqNT9iwowySjY0WcuOjcaQSjKk1JKVxrDUMnRKsUhdklBqlHXCMQuBWvMKmBirKBgrYxm8yUF40FwEv15+Rq1jlAGTHCPLGfZ8sgR/rIVz7JCLythm2mmNJBNx/0VEDrcsUnDyVoEG0QWBkbCvGFSxhGqtz8cgBbospZPCMBshLHSloGjBFklmS4tfoK8AABAASURBVMIQGQeFCLXBoXh/ZhxZYvJw1hqtSVs2JNE+CUIRco7RY0qFyaQFUjYaIGOlo9BlOkmzRpYmZHTApCQpa2SWKqOlb9UKbTjVopGK3l7q7qYZ0+mVf9Bf/tp7772zpv7yxcsve2zShHuO/sm1e+556X77TT5g38N+9IO999vzwKMOPWny5NPOPufK66799V133/fwH15+861/vPH66+9O66z39aQZhtab6Z40cUHYsAYyrFYywak1IlCZNanxf6mX6MyQq7TV2gcPisqlnnofcsEeRIxyrbrBRhsK5tGjRo1Zd11n7WabbYbJZEmVWhmDEpLw9oDJOpNV4qgShaiVMSlEwtUb7AhzqsnZLPNR1BgVhUG1aoMgMZSmGqsVybAkZSz836nlBRcLTCsSkAAUDya/Dph29jPuCC0QZH4TM6SBHdTwbsJ7MiRAuETg/50rxyiCgVhjNKYIMNYCzjl0xjnks5QyCAIUYWIWOEpKhXqsQwGTpKQRXl1AQjjCEjutoSjHwjosZ8AUsgwFS89NR9YGcaRChbT1t49x0gnE8khJSZIt6CfJhmwjZ5TORJrgNqwaWzOmzYkac82Jcj2JO3uqKqg5rjbScMFCnjbTvPJ6/e8vdT/73Dv3Pfjab37z7PU3PHz+hXdOmvSLscdfc+TRVx9+xM8OP/LKo465bOwJ14yb+Mszz7rviiufuPWXf//NXfbVN9M330lmzko6OxtpkgpHSqmoVKlVWcqgHCdZZiUHUYR7yDjXMJklknGIEa+8xmoqDKuD2qNSLAMVYDWjsJ40LDkkh40YvtIqK6+y2qpxubT2p9ZBhWustSaU1ddc41Of+tR222230kortbW1rbnmmlAGDRokpZw3b157e7tzDkcuPBUKdjrLsrQRSIH5BwTHGHgpI5s5jU6o9moS0UKRTksXzqO0EUv/b2eoMDIy6nOyK1FWkBOWhCNBLPy6QJLQwiOTAkilaEKzykQTQrPIhPcsHBIp4J8psQiUEWdMcNOCjZBWSRGEMowKgGROMO4t3FVap8YYjAH9IcMeBUUch4YC7YKMlKEoc3Fi4lTHqQ2NlWkmNCJIirjHJhU2Y5taW+/tndddX9Cju/oMbqw0EWmislRl/r+sxwlRQiIjaYWikF1MjuG1oJPenknPv5I+9kzn/Y9M++0Db91212Pjpjw6btJD4ybde/LEu04af8dJ428/aeKvT5pwz6k/vf+scx69+PJnr7/5rTvunvfwH5Mnn81eeDl7491s2hw3u1Mt6Il7s3Ythqrq6NoQ7tPcMC51VuPOIURtTWwc9/Y1cDDCwPHUhnP3pz/96VVWWWX06NGbbrrpDjvsAD3LMqz0JptsMmbMmNXy/1QQM6+11lpf+cpXQIW+vr4NNtgAbwmeffbZBQsWjBo1Cm5bbrnl0KFDkQuWvPrqq6gNBMLEpmmqtUZtyO3s7ISlXC7XarVqtSol7rZ88mElUKE7I0MxRRFHKJQkvT2NXidtqRKX20pxKXTO1et4h5WxU1FQBnGYQCLBjghLSsSeVeRgg4EE6oaOZYUE4CucAB0KySjiFAr2g8iSsF5CAVA9OVSCqXNsoTqQFfPgskZi/E5hJVPAiBQiULgrsVVRxjpxQJqBfoo4lBQFmH4yMPgbBF1kIYmJUKHNyGU+y2Fd0DghJ5CyUq7g5UlHudYRldtYVlJT7uyN5y3kGe/R62/2Pf3c7AcffvuOu1+64Zanrrj6sfMvvu3o42896vjrjjruyqOOveqYE248ftzUCafdftrZL/7mrlfuvueN++6f9sdH5vz1iYXP/q33pZfS116L5s6pLlzQUe8dmibDdDooSdr6+krdXVFfVspsBweDRITAFhtWqRH1rBrGlaBUUnEkAkkIutJa0taFYVgul4M8DGON18j/YWAob7/99ksvvTRs2DDoYA/iB5TVV199jz32AMOwiIgrw4cPxxSAE3DeaKONtthiC9hBnbfeeuuZZ55BsEMuSoFq77zzzuuvv/7mm28iCcqCdtZic0I3qKenBzyGHWXRJRQBBNmAUiJrBVJscefHEdfKke7udF2drrtbJqnCSEolHUUNFmwVlg4xSaCERUEBRRKIIth5CMplrksrAsORBijSAvD/1VYjmrL4dw/7pbPKgSXCX1hz68gZazKXpS7LAibFLBwJB9o6RkhvNJJ6r41EEnMSUho4oM66bvoS3cO1iGLhw5F0+SrgSJBQ1ksVRbCk3TR3Zvrma42/v9D31LONvz7de89DXXf8fvb1U1+/4Kqnx537wGHjpu595C92O+iqHXf/2Tf2vGbX/W/d+4jfHnHyA6ec8dgZFz9x4c96H/xz35+fdH97MX71neq77w2d37VqI1tdiGBhl+jpCuq9YdIb6XrZZW3C1hRTXw8nCc5JJcT3UFZjWY5FJQqUTkNrQsY4XMQywGoZksZRQ1NiSTthGBMrHbZsJVk5x6W44ixLESSNbOiQ4TgT9nT3feG/vrjZpptXK22w68zusP3XBatp786YMX1WV2fPrJmzX/z7P6KwhLIzZ7y37qc/09tTr/cls9+b293VO2f2PBTpXNi9cEHXyBGjn3zi6ef+9gIsKALjsKEjjHa1ajsqxM0fqCgMYkg0BCZRfgmKiAThgxs3Gm8+/tQ7f33STZ9V1malQA0Voko2FC6KpIrBAdGTpo7zcoVwxS8iRzCLPMXO/8JKCZcbnc+FydvZwo0JsoDGU0w/qF8HddgawS6UFEkZgcKBUIEgBg809l6yGjoLFsJF6F6SVBPdZmyNVIWDEsuSlVFmafosenta+sprvS+82PPUMwsee2LWHx99974/PH7pFY9edMm951449cxzbjn1jOsnTLn+lEnXnTzx6hPHXT9u0i9PPfOeCy974sZbX/vd/Qsee6r+/EsdC3oHddWH9NSHNfTwxIw0dhTzSiqMe3orSdJmbRu5GunQJDLpc329YEksRSQ4FFKRZywGqOBTqZQwj8xa6yRJcMf39TXq9boKSAiLQRmT4Z4hQpKUUtYYBACyDrMliXHyFSQlcV9PL/YaAAFJ5hcU7G6IKE899RSKIwnz7373u8cffxwxaebMmZCf/exnhwwZ0tPTg4V/4okn4IZ7dfr06djXUPC1117DVvjYY489/fTTzz333Jw5/l+BgsP8+fMReBqNBipEnxG30HnUDx3GMAxhR1WAADHwK1JBtLD3yRt+dftJpz9y9mVzbrtLzFkYNPoEls81+urdPfUuQzpGlBJWS2vYEiAI0m8+bL0kKxaBcb+QJYIzHlFcpjSgUVZok8Oxv9FACGJ/HCLK+pH/d6GVTVk3KKtTllBap0avXxD46DoObGQTYpDJ4uxM8/rozbn09KvZvY/OvenOVy66+snTL3h0wjl3HTfpjuMn33nClN8cN/mOsRPvPG7i7cdN+M0Jk/52/tUvX3rT29fdMe/XDzQeeJyeeFG++Lp69W3Qpa2zt9LbFyeNSDdKlCFsxSFnIskibUoWSMOsLtM+kfSJRhLqRpDVw6wRm6TMQG/J9YUYr7Q+NEvDwvq4KQwFQD11jcymBieIgGUcRLVSpaNUa6NQ4vkXo03ZZGxzuAy7c4A1YilZSAzdCotp005n1WoVCwzegGpSSjBg7ty54EetVlt11VXfe+89Y8zzzz+PJW80/CkKNMKGBcsrr7zy8ssvE+HpsBulwB4AuxU4gapQLRgG4oI6OCRBh72jo2Po0KGoB6Wy/IIDkgD8sbd25gcm5IqwncF7HOGIudzZ0/3cC49cc+NVxx5/1YEH//myn5kXXuAkrQnCXEksKvY/uGNMEmyw/WuJFQV7nBbOCgeOWYXJdFZCWg1duVS5LLCZKmASZTI2CeuECmQJZRmlGSWZamjVp6m7jxb20uyFRVChN6f1/Omxmb9/8MVbpqJX95125h0nnnLjYUddf8DBV++618++v/cFe+13wY+PvOakcXedezH6/9Stv3r34Ufe+/PjnU8/V3/pFf3GW3LazNq8hYO6e9u7+tp7G4Mb2bDMDrM03PFw4qGCy416KUuqVtfYVaUrswlsin4anTiHNwZCKQkIwcyghwvigCSlJq3rRmLRdZ2RTh3uDSZG1PDhGEwyzp+LIVkGQsX+cUEGjoTRlDRwFm5orY3NrNPMDuWEYhK4/5xxNiNryRUXo4yfZIKCSIblREBCFgiBhceSI5Yg/CCWaK1BsnfffRcKgHiDczR8UKpSqYCCQRCgrDEGzEMNRAQdEQi0QC6e0bq7u1EQByn4I7neeutts802+++//zHHHDNlypTzzz//pptu+tWvfnX44YeDcCgOCNIkQ0GIAThdCC2SnqHWxLPmzLz3oYfOuujqg4586OQp7/zuvmj23DanI5eWytK4pJH2OE+pPIQgNlDGLmWEEIzdaQQhMtoHknpfoXCjQXjx5EmjKU2pr06NhObOpzfecs+/mDz5TNefHpn1+3tm/PrOmdfdOvPy618998qnJp5z/7Hjfn3w2Bv3OfyavQ6+ep/DbzvipHsnnP34+Ve8cOXNb9905/zf3L/wwUez11+3782Ie7prOu2wus1kbTarOV0xKc4lCCqxa0QWh5KGtHXGugdaKwNkUmci05RmLtUmYWEVO8UmdFlgdKh1ZExsbckR3qXh2CsTHWQ20lSyquwC2YAuShSUOQzxas2IwMqAhL9pTarBDMQd4ZnB+aWEkAyeSEFSslKsEGWkFThTRGiCEJQznSUm05ZJhIFhwvkBwcuSYdTDhFm1TgPggXMOaSkllh8kgIJ20zTFwodhmCQJfKDADXZsndbaQmk0GvBHVqlUAkVGjBgBlmy88cZ4ytt555332GMP0OXYY4+dOHHi5MmTr7jiihtuuOHaa68FdcaOHXvIIYd873vfwxsBPNmtu+66YCfqRzcATB6RtMSWyIQ2i7Wp6BSLMYp4cL3R949X/nzjLVefNP7qk8b99aZbFz77fDLt3WFhOHzoUGUMdXVRo4Gbk+oJaeuRGUo11VNqpF7WG/Tyq/Tc3+uPPTH3gQem3/7bN268+aWrr3/hZ1fde+L4u06ecNu4STia3HDyxOtPnnjTuMk3jZ/yy9PPuuO8Cx+48uqnbvv1Ww88vODpv2WvvMlvTxvRl42op6Ma2ciGWSl1o1IzWtNIy21pVtUFkrLOyjrxL4JNGtg0RDhxGQKhdJkHZYIMkTMIm4xN1zkudL8jOwwjh/VTsdiiCMdaGTqhHGOehMNUOTY2EkEgwBvJjlFCOCZiyXjii+NIBQphy5HBw7r2jZBFg85omyZZgvhV11lCzgQsRGIDzREHpSCOg5iETK2tZ9pIoZUwUoJP2hlLhtmBgMXKWWvBBjADgA5jmqagC3Y3bGeQSMKolMJi43kND/lbbbXVTjvttPvuu++zzz4HHHDAhAkT8LXktNNOw2cTSPDmxBNPBIHAlX333Rd0wQsClMKTP/Yv1EPLvUSXsA02pAxZb1G0AAAQAElEQVQ5i9uurG1MJiJXNxn2nbZIDpYUz5w9694//On0C2768bG/O/uiv99xF734Cs3vop6EFvTQuzPppVfpyb+5P/2l67f3vHPtzc+dd/EfTpn8myPHTj34yGsOO+rnR/zk2mNPuPn4Cb+acPpvzzjv3nMvefDCK968697p9z284JEn9DMvBS+91f72nJGze0b2ZoOJqhKwZQm4sjAlYfCaQdpU2USSDhjTqyNhI+m8tGmsC+hY69DiZjCBywJnJBnptCCc2CD9nstkpcOeS4I8iHDzgDFYIsCmaEMS2qgrKuBfazF76mENhXAC5ZiIyXGa6izTDW1S6zIQhgWrQAaq0dOV9XXapJd1I8RpUthIuVg6p+vCpYHiUhyUS3gvGIaBDAWLjINMyUwJFzoCXQOrwiwIUyW1UgCYhJifWJ1ZMAlNC2ZEn0Bg/wNvGVttGMflNddce8yY9T7/+S22226HH/zgh4cffuQpp4w/9dTTL7nksgsvvPicc847/fQzxo+fOHbs8YcddsRBBx287bbbbb31NptvviVKrbLKaoMGDQmCCDeWMa6A1jbLDIYJJAm6gLEvFYRLGLKYJptPjmE/r44IaI+CQLJp9Kmsb7A1o7QbPK8rfHPa07+Yeuuk0y//8eFTDz7itgMP+dmue5z77V3O2mOvs/Y54OwDD73imOPx+HPvFT9/8rZfv3bPA28//Ejy2hvmrXfc9JnBnLmlzs627vqgJBmSmVJ3b7UnaW+ktSQtJ0mlkVZTXTM6tmAAQoiWNhE69Ycnk7isziYlcMIZctYHFbbkjKeIc1ijfpAPNII0+1jjAwBjJH5MGKmHcCSdkA53jQ8t2FNyB8wOGWLcvpbYMNpgbNIZe9lHps4WyAQZyVYJKxUJGZdLMX4iH3oCVihjU2sTEyvElbAUqFhJZtZaI0h09XSHUYmDUBPha3l3IwF606wPQSas1GXU6cTczM7OzGzr5rPsUmo+U5cUWSmStWrU0d7WPmjQYJx3h6+zzjp4tbjtttv+6Ec/Qvy46KKLbr755jvvvPP222+fOnUq9qBLL70UYeawww7bbbfddtxxx/XXX794RYlXSu3t7TgABQEoKLCpNWOMzS8iEosu8BS58MT2B0RRhNzlQEQkgiJfUl8geiLRLWQf0bwkS7UrkWinsEYitjqgrKyTVY0I35624C9PzfnzE91PP5/+/ZVo2qzh3fWhnb1De+rD6smIJBud2ZUdryLkqmHYTq4qXXsg2yJRDbgkbUgWK1Iph+VKGJWjMA5EiLVxmTAGe7/JSGdsjWTCQoSBipSKYoR/9NJi62F2lsg4Z5zNjLFMOaxlC7tj3APC8WJYFk1gotixMoz3XsoynKQT0oJSkP0QVrDLI48TOJWkoeyNuSfmXuWAhnAZo6vU09dIGpnLrDQcGFFyqkxBiUPyTA6cC4kioUoqqqpyW1gbNKe33pmZhgx1uaqrtbRcqZdKnWE0O45nV2sLBg2ujx7Ja6/ZttGGI7fYbJWtttxy55233m2Xnffd/8Bjx548ccrpZ52DoHL5ZVdee+21l19++RlnnIFP99ihvvzlL4MoeEYLFl1SSuccNjuckBqNBnY3AGzGJgggq6AKmIMk7PCEwnmIgyyAuYZn0wdusCwHQhFJwtwzkZ81zUILoZkr5VIQBbj38YTdQ2mdjCUwwESNvlGsVo7jYcwdWg8m12FNVO+rOVNxumSyyKSBbsi0j5Ne6us23V3UWxeNukoymWZCa2EN0Ojtqdd760lfQyeZ81arCPe6ECwko0POWK0zTEE9rfc1GiQcS8E4okissnSS0VXL6C1pAUDxMOxHYfOxFLojRU5BAhbBqD+LLAnnwUSIRiwcEwmQTDjwiYUVwnpvJaRkWDBHhDmw1lrCDPvOOEQmf3xhBCrAKJFFQT2KFwbhXOKZ1r6b6XczM82ad5zrHjRoXrVtehTOjOOu4UPCDcas9tX/2Wi3725/9KE7jT36O6eM3W3CKXtOGf/DKeN3mzxh54njvnTi2C8dffQ2B+y74/d3/+oOX9/yv7604fqbrLP2pxACQ+yHQSClVEpBFqsLXQgMxKdgBKkQQuL8gj9yYYQDM8ODmaHDAjs8AST9qFp+Wn3ghlLLgcBUEgnMHVncKVIZKa3CBC5M6vOzrJMczgeyFIWViCLWTA3S1iUm7av3LGjUO5myuCSjCsplVmkbGheBVtbGDvsTirTFpfYgqskgZhE6ktayMcLacqmEMWKEIlAUSCwJThiJ1Zmz2mmsKUgjAxVEYVAqAxnjFCEywVpILb3uJVZOciZhHAhLnENiLA7N5jAsMJx6IBrKA3oqfFWwA0RMOYekw2MXB5bjjGuJ7ajbasNUGqaUuthyxKyUcJJSaXvYLHDpHK7PEvX3gmxW5GYPauscPdKt95lBX9xqrW9+Y+O99tjioAO/eMRh2xx39C5nnXrULTeMvf/3hz14zx5Tf/E/F52zxYQT1j54nzX2/8GoH3x30Le3r371i2qLTWi9tWmt1aiMp8CAlDIcOAoUSwmSCIowIUH//kHkGW2t1VqDAM0kogsssMMCIAs6AAVJ8AOyCFStboUdsgB8UKSoKstwNoJhmRBMJElQfkfjNifoTghHEYlSIFQkseY9SbKgN+lOXIMpkozKHBRPgxg6Aifip82fTa1jwJHQxFgYMCMz6KoHOoRuoYtSyiAI0jRJswTBxhgcZUBkoQIhpQgkh4Klb8Q6RCRMkUlRHmWNc4gElgjHFyvYCiho3wP9KQAeAP0DIQzEg3JFooATcLNMBmX7IbTE6IUGn4TKJHgWJlIl0su+QC10YgHLhUItUFFnVOoqV7trbZ3t7fG6n65ssOGgzTdd6avbjPnud7bcb5+vHX3EN088bt+zfnrAeecceP553z/v3K+fcfqXx0/4r7HHbnHEoRv+8IerfXOneLNNaZXRVK16ltQqNKjdlULC9+84cJFKpaoLmUlFSlK1RKWIZGCIOAc58uB+6jiHNAaGSZOIFkUS0yuEt0gpoTeN0AEhBCSMQHEPoyCMtOhCrskvzDZ8kEQ98MF6LXJZ+m8fIQgr09Wg3tTIwISBcVaRrRnXntlSYmRGIVMpJoWXMEy9xqUi0CpKjcisZBFJEZOWbANh/FMUGeUQKGygKArCUp81dWHTgI3PF0ZyRhZRRygpBEklAibpnDRWaKO0ljrlLGWdCJMK7XdARQ4+7AxhcNZYD6uhE/lxOlLWFfC3LTnlrNQegRGBxbO6Cp1HxEFFRKH14VJZLYwnvq8OcU7KHuIF5OYYM8uaOVJ2Vavp8BF61dWyDdZ3W2zevuP2a/9wz8//5MivThy/09lnfffCC75+zlk7nHnG108/Y/spp20zYdLnjz9h7R8fuuoP9+746rbVLbakMevSqFHU1kaYuDCkMPKKCoilh1ROBo6ls+xIWNx7/v5A2vcWgc46AYJ4EAWEW9pL3O6kMGY/aqw9M9hFzQuWpg6FF13QgSIFBWjVkRwAmV+obYBbkVxSFsVFZ7f/7/AR3sq31URb5b2kvhB0qLUl5OqWNFEMOjCZBmV1khZjEA5RAmdba4mEZAUqQUYSzyZ4tRvHEgFLucyljayvpx7GWD6lyaXWZMZg+R37y1ptcGVplmVWp2S1YhFiogUz7iSJX94NbZEhrTX4FsCBVQgIrIxCxKPUShKCBBPIJk1+KLYytHFky7W0FPcGcj7b2SadZZIZWTrNNKaTmal4frnU2Vbt6mjrHTqoMXJYusqolb681Ziddvjygft9f8Iph1x0/o+vumLvq36+98+vOPDaq/a//NJdzjj9K8cds9F+e6+287eH/s82HV/8UrjxJvGG66t1x4g11nAjR+n2wWm5oqMY96ENgsVQygJSWVFAWPZwJApgDptgJwp4Cwtiv0YQkgjwSfaWT+CPiNpKWqBjGZmkbZ01h2wwxo4c/ioOwKVSFoUc404OwCZFVCVqB1fIBU5Lk4ApTcAj7e1K+7p10u10n3BJKE2sHLZFX7d1zvj7TgkB5NGWQItQRUqFAMuAMMvM2AfrVgIJBZmInIpZlaQqh0HFZYK1FKmUmYoaqpSGFR2XTExZYEyYaVXXAtvu/NTOtTSHxXtSzClFC4a2JWuuFHx2vcFbb7nKN7ddY5dvbHnM4V86+YQdTpuy84Xn/PDnl/34pusO+vUvD7j7jq9ffsk255618UnHjd5/7+Ab29EXNqMN16W1V6PBNWorU7VE5ZjikMKAAkEYlWAq4Jw1zuH+0CbLMJee/R/9h/5PXaJBpkc3HGLO8CH/vfcPD5kycaeDDxi56We72qrzoujdNJ3WyLqJYmwHFCZaS+ckYSYZUUiRcSZBIMGOU46DKJQIIuS004g02hpNzlKisfkpQ/7NGknlhDCILsY5AlhIYgWOJanpqyddfQ0VVTgqW2yarHqdADodA91h0BUGnWEwV/IMNsDsAEElnBbKeYPa7Fqrdmz2ubW323bT3Xf9ykH77nDU4buMP+G7E0743sQTd5l48vcmnfS9Sad8ffJJ2086ZfNDD9lkv/3X+N53R3zta7UvfEGstz6tsioNHUaDOqi9w5TLiQrqYdgIS0mpYio1qpapHFEJJxVwKKJA9QNB0joyGIgTGIPE7i5LyP0/tfwfV2dFRDJSkSGR4pvXoPahX9pq00MOOfics7bed59Bn904HTY8HDE6HDp6vqW5+OjGJUs+uCr2TBIMLhiyhtk5nF3YCkGAxP6EqZXQRcxh2QWRU0ozp875JzGEHZkmlOGblpEa0U2ApdWw0lFqG5JmMk1VbyJ6MrnQyPkczA/C2eV4Rq28YOURycbrhFtv1vHNr6y05zfXOfQH6x9zwK5Xn7/Lz8799iU/3fGciVtPOe7zxx/2mcP3W+ugH47a8zsr7fqtUd/ZcejXvlz9wma8wRi32io0bBhFZfKHjYjwQUzEFJRJRY4CS6C6cKxYKkmSiTHSxAojQlIBKUEShxayAuO0CD3eKAOSkoVg4eeEicifevHrPw6IBtakdUkcVqokJUlFcUl9eszWxxx7+LXXHnrm2R0bbviO1dmQweGQlRawS4kN4aFfYN6JA8BhFgU+zLtUk7FkWBkWmji1VM+MFnj8ibSMEhH2ClVXIV67JbVqo1btqZUXVstzK+F7tXBOWzxvSLVz2CBaZ/V4/XVHbbXFZ765w9b7/eg7x/9k79MnH3zeWSdPveUnU3/x41/c8KNrf/b9i8/7xqkTvnz8T7Y4/KCR//2FIVt9vrrZZ4MNx/A6a9LKoz1Xam06CG0QGxFrERsu4TkhIzz1gBARBdLTgmnR4hOCpiACmEiSVyABkCcjqhMDDYyIhGXlRMQqtOTvIUfO4YzoT+vGZYi/fu+m/7xLxJbKVrC2hKdzUhSWKChR+2CqttHQYaN3/s7+N1138nVXf2qn7eYNbV84qE22DXZghhWpYc0BkJFqGA4r7SKu+ic4Vg2SCclMkfznkQAABLtJREFURllYml6vzybbXSk1hnbo0SOzVUebNVbJPr16uPmG1a9ssfJ3t9/gx3v998lH73Te5N1/fv5eN1y6521X73bLlTv9/Lwvnz1xwxMPX+3APQfv8o3aDv9Da69Ko0dQrUZhTFHk6a6ZUhLVDg6rWFqiAPcC4SkTryXqTmWhSEOZBioBVAj+9imZCHzRpyz1wOtyZwgMcgiilggMsGwylyV4OmCdBlYHiD4kmBB8PRwJ49mDoINiRMUJSIr89pMcCKlEv5E/6kX/py5BRosgJFJ+GjPMEhtHSYYDjqBSxc+hFOUvfeGbZ51+xMXnbn/IQb0jhy5sa5sZRTPC8L0omhXHUKYp+WqWvaazN52dFqjOjg5aY/WOjTYa8YUtPrfXbv918D7bjj38e5NP2uOnE/c6a8reZ566zxmn/eD0Sd+fMmmnk0/68hGHbrLn7mtsu23H5z4XjVmXRg6jkUNo+GAa0k7tNSqXXCQNFrFaoSikIPAEwm5SxqsXoJwhSDhKLTYa55wkGfmn6yAmVoQLuwxgQBLC4ntgywoFAaiTDNmMIAGbkk2FcCpAI1JKx+zY04gY9eSliRB4GUkmSEYosoRGccZzztoCxPQfeAlPFMwDOZKCpcRvISgIpVMyY2Hi2HW0Ec6YbeXaVptvduwRR/3i+u0mj2vfcZtZa688a62V5X9vvtKu3157r923PvmYHU4bt+uFZ+979eUH3XjVj67/+bevunjHK87d8vQTNjj+4JX23aX8ra+qbbfiL36ePr+x2Hh9Wn1NGj6aym0kyuRK5MpkgZgoJheSCzwoIAqYIyFxJlOaVMYIKAr7YwMhEDpJR+ivVKyYJRYVvLCUL74vShQSRb5KKpEHdAwRK83OsSPJhPghiGCR0idhJEu8CARi4g4jVIaigCKSRCIHkydTLpj97AlI+g+7XH4JzBPgJ4aJANy7ABEslkmzSEVglXJ40EUwKIW0wWc22mP3Q84+69Sbb5pw0w0HX3LxLmf+9BuTJ2x6wH4b7rXnmjt/e+hXtg4+uwmttQYNH+Y62pNata9SrperSVzJwsgEJYddSUUEyIBERBwQVhsSAHtYkV+4XDqBfjh0hYQlAaWQjrgAEUtHyhKyCxMROSLDpIn8pseUMmEr64e3wxd7EzgnjWchKgCY/OAl+bbQNNrNpWMwCtlAUX+/zL2p5UKjBVps/0Gq6COBswRmWUtyTJjMXJDC8hBhXqVfM0lYWiwzFt4qKneo0auHK69Jw1ai6mASpX5wiTjKmVEiWSFVYcb7/ErZxSUXRWCiC6ULGDVYBBsJDpBgkoy6PdABRWAOSACgMx7UfwkHxnDgOPSg2HlElqRldh5wEKjRsWAnYSJEFXK5NKAUWU0EBdUJQgDrBzu4oxNoOAc61goHY16FzSWqawGjrhxFZiGRn9v+swTuS9aeKLjriEQOJgbyeeBckr/byRETSVIhCZUvERMiByCw/oJY+tVhQR7kfYUg0M4IMoq8hAJgMRl1eQf2bg62HOAxvDLyi+1yWSwM5VfuS8LlsITuAv3dWFwXE7P/Ic4LeWEJrVlI7Heo1pvwKwdD+rT3gJNHkSwkcpdEMytXFjeT10FEufk/Tvx/AAAA//8a7NkQAAAABklEQVQDAJ95TIXJf77lAAAAAElFTkSuQmCC" + +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Compare-EqualCISVersions.Tests.ps1 b/ATAPHtmlReport/Tests/Compare-EqualCISVersions.Tests.ps1 new file mode 100644 index 0000000..eb0d0d6 --- /dev/null +++ b/ATAPHtmlReport/Tests/Compare-EqualCISVersions.Tests.ps1 @@ -0,0 +1,224 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + + +InModuleScope ATAPHtmlReport { + Describe 'Testing Compare-EqualCISVersions' { + + It 'Test Windows 7' { + $BasedOn = @( + "CIS Microsoft Windows 7 Workstation Benchmark, Version: 3.1.0, Date: 2018-03-02" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $false + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows 10' { + $BasedOn = @( + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15" + "DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25" + "Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "ACSC Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2021, Date 2021-10-01" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows 10 stand-alone' { + $BasedOn = @( + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.1, Date: 2019-07-31" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows 11' { + $BasedOn = @( + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14" + "Security baseline for Microsoft Windows 11, Version: 20H2, Date: 2020-12-17" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.1, Date: 2019-07-31" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows 11 stand-alone' { + $BasedOn = @( + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.1, Date: 2019-07-31" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows Server 2019' { + $BasedOn = @( + "Windows Server 2019 Security Technical Implementation Guide, Version: 1.5, Date: 2020-06-17" + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18" + "Microsoft Security baseline for Windows Server 2019, Version: FINAL, Date 2019-06-18" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2019 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test Windows Server 2022' { + $BasedOn = @( + "Security baseline for Microsoft Windows Server 2022, Version: FINAL, Date 2021-09-27" + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14" + "DISA Windows Server 2022, Version: V1R1, Date 2022-09-28" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08" + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15" + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15" + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14" + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18" + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + try { + Compare-EqualCISVersions -Title "Windows Server 2022 Audit Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + catch { + $false | Should -Be $true + } + } + It 'Test for unmatching versions of CIS and MITRE mapping' { + $BasedOn = @( + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.15.0, Date: 2023-02-15" + "DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25" + "Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "ACSC Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2021, Date 2021-10-01" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + Compare-EqualCISVersions -Title "Windows 10 Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $false + } + + It 'Test for matching versions of CIS and MITRE mapping' { + $BasedOn = @( + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15" + "DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25" + "Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "ACSC Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2021, Date 2021-10-01" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + Compare-EqualCISVersions -Title "Windows 10 Report" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $true + } + + It 'Test for matching versions of CIS and MITRE mapping but wrong OS' { + $BasedOn = @( + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15" + "DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25" + "Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18" + "Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03" + "SiSyPHuS Recommendations for Telemetry Components: Version 1.2, Date: 2020-04-27" + "ACSC Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2021, Date 2021-10-01" + "FB Pro recommendations 'Ciphers Protocols and Hashes Benchmark', Version 1.1.0, Date: 2021-04-15" + "FB Pro recommendations 'Enhanced settings', Version 1.1.0, Date: 2023-02-24" + ) + $MitreMappingCompatible = @("CIS Microsoft Windows 10 Stand-alone Benchmark, Version: 1.0.1, Date: 2022-02-08", + "CIS Microsoft Windows 11 Stand-alone Benchmark, Version: 1.0.0, Date: 2022-11-15", + "CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15", + "CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14", + "CIS Microsoft Windows Server 2019 Benchmark, Version: 1.3.0, Date: 2022-03-18", + "CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14") + Compare-EqualCISVersions -Title "Debian 10" -ReportBasedOn:$BasedOn -MitreMappingCompatible:$MitreMappingCompatible | Should -Be $false + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/ConvertTo-HtmlTable.Tests.ps1 b/ATAPHtmlReport/Tests/ConvertTo-HtmlTable.Tests.ps1 new file mode 100644 index 0000000..7cc9a7a --- /dev/null +++ b/ATAPHtmlReport/Tests/ConvertTo-HtmlTable.Tests.ps1 @@ -0,0 +1,50 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing ConvertTo-HtmlTable' { + It 'tests with an example Report' { + + $AuditInfos = @{Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.4" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.6" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + + $Subsection = @{AuditInfos = $AuditInfos } + + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $Section2 = @{Title = "DISA" + $Subsection = $null + } + + $Sections = $Section1, $Section2 + + + $Mappings = $Sections | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + # call the function under test and split by opening and closing brackets. Result should be an array of tags. + $tags = (ConvertTo-HtmlTable $Mappings.map).Split("<").Split(">") + $tags | Should -Contain 'table id="MITRETable"' + $tags | Should -Contain 'a href="https://attack.mitre.org/tactics/TA0007/"' + $tags | Should -Contain 'Discovery' + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Get-ColorValue.Tests.ps1 b/ATAPHtmlReport/Tests/Get-ColorValue.Tests.ps1 new file mode 100644 index 0000000..96577f9 --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-ColorValue.Tests.ps1 @@ -0,0 +1,55 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe "Testing Get-ColorValue" { + It "Should return hundred" { + $result = Get-ColorValue -FirstValue 10 -SecondValue 10 + $result | Should -Be "#33cca6" + } + It "Should return ninety" { + $result = Get-ColorValue -FirstValue 9 -SecondValue 10 + $result | Should -Be "#52CC8F" + } + It "Should return eighty" { + $result = Get-ColorValue -FirstValue 8 -SecondValue 10 + $result | Should -Be "#70CC78" + } + It "Should return seventy" { + $result = Get-ColorValue -FirstValue 7 -SecondValue 10 + $result | Should -Be "#8FCC61" + } + It "Should return sixty" { + $result = Get-ColorValue -FirstValue 6 -SecondValue 10 + $result | Should -Be "#ADCC4A" + } + It "Should return fifty" { + $result = Get-ColorValue -FirstValue 5 -SecondValue 10 + $result | Should -Be "#CCCC33" + } + It "Should return fourty" { + $result = Get-ColorValue -FirstValue 4 -SecondValue 10 + $result | Should -Be "#CCA329" + } + It "Should return thirty" { + $result = Get-ColorValue -FirstValue 3 -SecondValue 10 + $result | Should -Be "#CC7A1F" + } + It "Should return twenty" { + $result = Get-ColorValue -FirstValue 2 -SecondValue 10 + $result | Should -Be "#CC5214" + } + It "Should return ten" { + $result = Get-ColorValue -FirstValue 1 -SecondValue 10 + $result | Should -Be "#CC290A" + } + It "Should return zero" { + $result = Get-ColorValue -FirstValue 0 -SecondValue 10 + $result | Should -Be "#cc0000" + } + It "Should return empty" { + $result = Get-ColorValue -FirstValue 0 -SecondValue 0 + $result | Should -Be "#a7a7a7" + } + } +} diff --git a/ATAPHtmlReport/Tests/Get-MitigationsFromFailedTests.Tests.ps1 b/ATAPHtmlReport/Tests/Get-MitigationsFromFailedTests.Tests.ps1 new file mode 100644 index 0000000..e929ce1 --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-MitigationsFromFailedTests.Tests.ps1 @@ -0,0 +1,419 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" +$global:CISToAttackMappingData = Get-Content -Raw "$PSScriptRoot\..\resources\CISToAttackMappingData.json" | ConvertFrom-Json + +InModuleScope ATAPHtmlReport { + function global:Add-ToAuditInfos{ + param( + [Parameter(Mandatory = $true)] + [string] + $Mitigation, + [Parameter(Mandatory = $true)] + [bool] + $AllIDsFalse + ) + $json = $CISToAttackMappingData.'CISAttackMapping' + $json.psobject.properties.name | Where-Object {$json.$_.'Mitigation1' -eq $Mitigation -or $json.$_.'Mitigation2' -eq $Mitigation} | ForEach-Object {return $json.$_.'Recommendation'} | ForEach-Object { + if($AllIDsFalse) { + $global:AuditInfos += @{ + Id = $_ + Status = [AuditInfoStatus]::False + } + } + else { + $global:AuditInfos += @{ + Id = $_ + Status = [AuditInfoStatus]::True + } + } + } + } + Describe 'testing function Get-MitigationsFromFailedTests' { + It 'tests the amount of techniques in report' { + $global:AuditInfos = @() + + $global:AuditInfos += @{ + #T1489 + Id = "18.8.5.3" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1555 + Id = "18.9.65.2.2" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1569 #T1011 + Id = "5.1" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1115 + Id = "2.2.1" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1048 + Id = "5.12" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1059 + Id = "18.9.31.4" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1003 + Id = "1.1.7" + Status = [AuditInfoStatus]::False + } + $global:AuditInfos += @{ + #T1016 + Id = "18.5.19.2.1" + Status = [AuditInfoStatus]::False + } + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + + $json = $CISToAttackMappingData.'CISAttackMapping' + + foreach($Mitigation in $CISAMitigations.Keys) { + $Techniques = @() + $global:AuditInfos | Where-Object {$_.Status -eq [AuditInfoStatus]::False} | + Where-Object {$json.($_.Id).'Mitigation1' -eq $Mitigation -or $json.($_.Id).'Mitigation2' -eq $Mitigation} | + ForEach-Object { + if($null -ne $json.($_.Id).'Technique1' -and $Techniques -notcontains $json.($_.Id).'Technique1'){ + $Techniques += $json.($_.Id).'Technique1' + } + if($null -ne $json.($_.Id).'Technique2' -and $Techniques -notcontains $json.($_.Id).'Technique2'){ + $Techniques += $json.($_.Id).'Technique2' + } + } + $Techniques = $Techniques | Sort-Object + $CISAMitigations[$Mitigation]['MitreTechniqueIDs'] = $CISAMitigations[$Mitigation]['MitreTechniqueIDs'] | Sort-Object + for($i = 0; $i -lt $CISAMitigations[$Mitigation]['MitreTechniqueIDs'].length; $i++) { + $CISAMitigations[$Mitigation]['MitreTechniqueIDs'][$i] | Should -Be $Techniques[$i] + } + } + } + It 'tests with an example report where every status is [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $true + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Be @('M1017', 'M1018', 'M1021', 'M1027', 'M1028', 'M1030', 'M1031', 'M1038', 'M1041', 'M1042') + } + It 'tests with an example report where every status is [AuditInfoStatus]::True' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Be @() + } + It 'tests with an example report where just M1017 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1017') + } + It 'tests with an example report where just M1018 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1018') + } + It 'tests with an example report where just M1021 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1021') + } + It 'tests with an example report where just M1027 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1027') + } + It 'tests with an example report where just M1028 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1028') + } + It 'tests with an example report where just M1030 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1030') + } + It 'tests with an example report where just M1031 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1031') + } + It 'tests with an example report where just M1038 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1038') + } + It 'tests with an example report where just M1041 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $true + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $false + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1041') + } + It 'tests with an example report where just M1042 ids are [AuditInfoStatus]::False' { + $global:AuditInfos = @() + + Add-ToAuditInfos -Mitigation 'M1017' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1018' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1021' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1027' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1028' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1030' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1031' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1038' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1041' -AllIDsFalse $false + Add-ToAuditInfos -Mitigation 'M1042' -AllIDsFalse $true + + $Subsection = @{AuditInfos = $global:AuditInfos } + $Section1 = @{ + Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + #Tests + $CISAMitigations = $mitreMap.Map | Get-MitigationsFromFailedTests + $CISAMitigations.Keys | Should -Contain @('M1042') + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Get-MitreTacticName.Tests.ps1 b/ATAPHtmlReport/Tests/Get-MitreTacticName.Tests.ps1 new file mode 100644 index 0000000..e16354f --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-MitreTacticName.Tests.ps1 @@ -0,0 +1,12 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing Get-MitreTacticName' { + It 'tests with example Values' { + Get-MitreTacticName -TacticId 'TA0042' | Should -Be "Resource Development" + Get-MitreTacticName -TacticId 'TA0004' | Should -Be "Privilege Escalation" + Get-MitreTacticName -TacticId 'TA0008' | Should -Be "Lateral Movement" + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Get-MitreTactics.Tests.ps1 b/ATAPHtmlReport/Tests/Get-MitreTactics.Tests.ps1 new file mode 100644 index 0000000..b8c1fd2 --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-MitreTactics.Tests.ps1 @@ -0,0 +1,13 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing Get-MitreTactics' { + It 'tests with example Values' { + + Get-MitreTactics -TechniqueID "T1591" | Should -Be 'TA0043' + + Get-MitreTactics -TechniqueID "T1056" | Should -Be 'TA0009', 'TA0006' + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Get-MitreTechniqueName.Tests.ps1 b/ATAPHtmlReport/Tests/Get-MitreTechniqueName.Tests.ps1 new file mode 100644 index 0000000..404c543 --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-MitreTechniqueName.Tests.ps1 @@ -0,0 +1,17 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing Get-MitreTechniqueName' { + It 'tests with example values' { + Get-MitreTechniqueName -TechniqueID "T1591" | Should -Be 'Gather Victim Org Information' + Get-MitreTechniqueName -TechniqueID "T1056" | Should -Be 'Input Capture' + Get-MitreTechniqueName -TechniqueID "T1056" | Should -BeOfType String + } + + It 'tests with wrong values' { + Get-MitreTechniqueName -TechniqueID "TXXXX" | Should -Be $null + Get-MitreTechniqueName -TechniqueID "TXXXX" | Should -Not -Be 'Input Capture' + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Get-TacticCounter.Tests.ps1 b/ATAPHtmlReport/Tests/Get-TacticCounter.Tests.ps1 new file mode 100644 index 0000000..f8bc8f1 --- /dev/null +++ b/ATAPHtmlReport/Tests/Get-TacticCounter.Tests.ps1 @@ -0,0 +1,71 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + + Describe "Testing Get-TacticCounter" { + Context "When counting for a tactic without mapped tests" { + It "Should return 0" { + $AuditInfos = @{Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.4" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.6" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + + $Subsection = @{AuditInfos = $AuditInfos } + + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $Sections = $Section1 + + + $Mappings = $Sections | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + $result = Get-TacticCounter -tactic $Mappings.Map["TA0042"] $Mappings.Map + $result | Should -Be 0 + } + } + + Context "Counter should be 1 if a technique is a 100% fullfilled" { + It "Should be 1" { + $AuditInfos = @{Id = "18.9.48.13" + Status = [AuditInfoStatus]::True + }, + @{Id = "18.9.87.1" + Status = [AuditInfoStatus]::True + } + + $Subsection = @{AuditInfos = $AuditInfos } + + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $Sections = $Section1 + + + $Mappings = $Sections | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + + $Mappings.Map["TA0043"]["T1592"]["18.9.87.1"] | Should -Be True + $Mappings.Map["TA0043"]["T1592"]["18.9.48.13"] | Should -Be True + $Mappings.Map["TA0043"]["T1592"].count | Should -Be 2 + Get-TacticCounter "TA0043" $Mappings.Map | Should -Be 1 + } + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Merge-CisAuditsToMitreMap.Tests.ps1 b/ATAPHtmlReport/Tests/Merge-CisAuditsToMitreMap.Tests.ps1 new file mode 100644 index 0000000..fdffa85 --- /dev/null +++ b/ATAPHtmlReport/Tests/Merge-CisAuditsToMitreMap.Tests.ps1 @@ -0,0 +1,50 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing Merge-CisAuditsToMitreMap' { + It 'tests with an example Report' { + + $AuditInfos = @{Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + + $Subsection = @{AuditInfos = $AuditInfos } + + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $Section2 = @{Title = "DISA" + $Subsection = $null + } + + $Sections = $Section1, $Section2 + + $mapping = $Sections | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + foreach ($tactic in $mapping.Keys) { + Write-Host "$tactic = " + foreach ($technique in $($mapping[$tactic]).Keys) { + Write-Host " $technique = " + foreach ($id in $($($mapping[$tactic])[$technique]).Keys) { + Write-Host " $id = $($($($mapping[$tactic])[$technique])[$id])" + } + } + } + + $mapping.GetType() | Should -Be "MitreMap" + $mapping.Map["TA0001"]["T1078"]["1.1.4"] | Should -Be False + $mapping.Map["TA0006"]["T1110"]["1.2.3"] | Should -Be True + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/MitreMap.Tests.ps1 b/ATAPHtmlReport/Tests/MitreMap.Tests.ps1 new file mode 100644 index 0000000..38216b6 --- /dev/null +++ b/ATAPHtmlReport/Tests/MitreMap.Tests.ps1 @@ -0,0 +1,101 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + + +InModuleScope ATAPHtmlReport { + Describe 'Testing MitreMap' { + It 'tests correct amount of techniques per tacitc' { + $mitreMap = [MitreMap]::new() + #$mitreMap.Print() + + $mitreMap.map['TA0043'].count | Should -Be 10 + $mitreMap.map['TA0042'].count | Should -Be 8 + $mitreMap.map['TA0001'].count | Should -Be 9 + $mitreMap.map['TA0002'].count | Should -Be 14 + $mitreMap.map['TA0003'].count | Should -Be 19 + $mitreMap.map['TA0004'].count | Should -Be 13 + $mitreMap.map['TA0005'].count | Should -Be 42 + $mitreMap.map['TA0006'].count | Should -Be 17 + $mitreMap.map['TA0007'].count | Should -Be 31 + $mitreMap.map['TA0008'].count | Should -Be 9 + $mitreMap.map['TA0009'].count | Should -Be 17 + $mitreMap.map['TA0011'].count | Should -Be 16 + $mitreMap.map['TA0010'].count | Should -Be 9 + $mitreMap.map['TA0040'].count | Should -Be 13 + } + + It 'tests some values' { + $mitreMap = [MitreMap]::new() + + $mitreMap.map['TA0043'].ContainsKey('T1597') | Should -Be $true + $mitreMap.map['TA0001'].ContainsKey('T1200') | Should -Be $true + $mitreMap.map['TA0043'].ContainsKey('T1037') | Should -Be $false + $mitreMap.map['TA0006'].ContainsKey('T1612') | Should -Be $false + } + } +} + +InModuleScope ATAPHtmlReport { + Describe 'testing functions of the class MitreMap' { + It 'tests with an example report' { + #Dummy-Data + $AuditInfos = + @{ + Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{ + Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + $Subsection = @{AuditInfos = $AuditInfos } + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + #$mitreMap.Print() + + #Tests + $mitreMap.GetType() | Should -Be "MitreMap" + $mitreMap.Map["TA0001"]["T1078"]["1.1.4"].GetType() | Should -Be 'AuditInfoStatus' + $mitreMap.Map["TA0001"]["T1078"]["1.1.4"] | Should -Be False + $mitreMap.Map["TA0006"]["T1110"]["1.2.3"] | Should -Be True + + $failedIDs = @() + foreach ($tactic in $mitreMap.Map.Keys) { + foreach ($technique in $mitreMap.Map[$tactic].Keys) { + $mitreMap.Map[$tactic][$technique].Keys | + Where-Object {$mitreMap.Map[$tactic][$technique][$_] -eq [AuditInfoStatus]::False} | + ForEach-Object { + if($failedIDs -notcontains $_){ + $failedIDs += $_ + } + } + } + } + $CISAMedigations = @() + $json = Get-Content -Raw "$PSScriptRoot\..\resources\CISToAttackMappingData.json" | ConvertFrom-Json + foreach($i in $failedIDs) { + if($null -ne $json.'CISAttackMapping'.$i.'Mitigation1' -and $CISAMedigations -notcontains $json.'CISAttackMapping'.$i.'Mitigation1'){ + $CISAMedigations += $json.'CISAttackMapping'.$i.'Mitigation1' + } + if($null -ne $json.'CISAttackMapping'.$i.'Mitigation2' -and $CISAMedigations -notcontains $json.'CISAttackMapping'.$i.'Mitigation2'){ + $CISAMedigations += $json.'CISAttackMapping'.$i.'Mitigation2' + } + } + foreach($i in $CISAMedigations) { + Write-Host $i + } + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/OrderTactics.Test.ps1 b/ATAPHtmlReport/Tests/OrderTactics.Test.ps1 new file mode 100644 index 0000000..3025a3b --- /dev/null +++ b/ATAPHtmlReport/Tests/OrderTactics.Test.ps1 @@ -0,0 +1,43 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'testing tactic order in MitreMap' { + It 'tests with an example report' { + #Dummy-Data + $AuditInfos = + @{ + Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{ + Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + $Subsection = @{AuditInfos = $AuditInfos } + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + $mitreMap.Print() + + $tactics = (Get-Content -Raw "$PSScriptRoot\..\resources\MitreTactics.json" | ConvertFrom-Json).psobject.properties.name + + #check order + $i = 0 + foreach ($tactic in $mitreMap.Map.Keys) { + $tactic | Should -Be $tactics[$i] + $i++ + } + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/Test-CompatibleMitreReport.Tests.ps1 b/ATAPHtmlReport/Tests/Test-CompatibleMitreReport.Tests.ps1 new file mode 100644 index 0000000..4f23de3 --- /dev/null +++ b/ATAPHtmlReport/Tests/Test-CompatibleMitreReport.Tests.ps1 @@ -0,0 +1,24 @@ +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing Check-CompatibleMitreReport' { + It 'Testing with diffrent Reports' { + $Title = "Windows 10 Report" + $os = [System.Environment]::OSVersion.Platform + Test-CompatibleMitreReport -Title $Title -os $os | Should -Be $true + + $Title = "Windows 11 Report" + Test-CompatibleMitreReport -Title $Title -os $os | Should -Be $true + + $Title = "Windows Server 2019 Audit Report" + Test-CompatibleMitreReport -Title $Title -os $os | Should -Be $true + + $Title = "Windows Server 2022 Audit Report" + Test-CompatibleMitreReport -Title $Title -os $os | Should -Be $true + + $Title = "Windows 7 Report" + Test-CompatibleMitreReport -Title $Title -os $os | Should -Be $false + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/get-MitreLink.Tests.ps1 b/ATAPHtmlReport/Tests/get-MitreLink.Tests.ps1 new file mode 100644 index 0000000..a82bad3 --- /dev/null +++ b/ATAPHtmlReport/Tests/get-MitreLink.Tests.ps1 @@ -0,0 +1,20 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + + +InModuleScope ATAPHtmlReport { + Describe 'Testing get-MitreLink' { + It 'tests for tactics' { + get-MitreLink -type tactics -id 'TA0001' | Should -Be 'https://attack.mitre.org/tactics/TA0001/' + get-MitreLink -type tactics -id 'TA0008' | Should -Be 'https://attack.mitre.org/tactics/TA0008/' + } + It 'tests for techniques' { + get-MitreLink -type techniques -id 'T1548' | Should -Be 'https://attack.mitre.org/techniques/T1548/' + get-MitreLink -type techniques -id 'T1119' | Should -Be 'https://attack.mitre.org/techniques/T1119/' + } + It 'tests for techniques' { + get-MitreLink -type mitigations -id 'M1047' | Should -Be 'https://attack.mitre.org/mitigations/M1047/' + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/readFromJson.Tests.ps1 b/ATAPHtmlReport/Tests/readFromJson.Tests.ps1 new file mode 100644 index 0000000..286f2b2 --- /dev/null +++ b/ATAPHtmlReport/Tests/readFromJson.Tests.ps1 @@ -0,0 +1,73 @@ + +#Import-Module +& "$PSScriptRoot\updateATAP.ps1" + +InModuleScope ATAPHtmlReport { + Describe 'Testing MitreMap' { + It 'tests correct amount of techniques per tacitc' { + $mitreMap = [MitreMap]::new() + $mitreMap.Print() + + $mitreMap.map['TA0043'].count | Should -Be 10 + $mitreMap.map['TA0042'].count | Should -Be 8 + $mitreMap.map['TA0001'].count | Should -Be 9 + $mitreMap.map['TA0002'].count | Should -Be 14 + $mitreMap.map['TA0003'].count | Should -Be 19 + $mitreMap.map['TA0004'].count | Should -Be 13 + $mitreMap.map['TA0005'].count | Should -Be 42 + $mitreMap.map['TA0006'].count | Should -Be 17 + $mitreMap.map['TA0007'].count | Should -Be 31 + $mitreMap.map['TA0008'].count | Should -Be 9 + $mitreMap.map['TA0009'].count | Should -Be 17 + $mitreMap.map['TA0011'].count | Should -Be 16 + $mitreMap.map['TA0010'].count | Should -Be 9 + $mitreMap.map['TA0040'].count | Should -Be 13 + } + + It 'tests some values' { + $mitreMap = [MitreMap]::new() + + $mitreMap.map['TA0043'].ContainsKey('T1597') | Should -Be $true + $mitreMap.map['TA0001'].ContainsKey('T1200') | Should -Be $true + $mitreMap.map['TA0043'].ContainsKey('T1037') | Should -Be $false + $mitreMap.map['TA0006'].ContainsKey('T1612') | Should -Be $false + } + } +} + +InModuleScope ATAPHtmlReport { + Describe 'testing read from json' { + It 'tests if json file is read in correctly' { + $AuditInfos = + @{ + Id = "1.1.4" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.2.3" + Status = [AuditInfoStatus]::True + }, + @{ + Id = "1.2.5" + Status = [AuditInfoStatus]::False + }, + @{ + Id = "1.4.5" + Status = [AuditInfoStatus]::True + } + $Subsection = @{AuditInfos = $AuditInfos } + $Section1 = @{Title = "Cis Benchmarks" + SubSections = $Subsection + } + + $mitreMap = $Section1 | Where-Object { $_.Title -eq "CIS Benchmarks" } | ForEach-Object { return $_.SubSections } | ForEach-Object { return $_.AuditInfos } | Merge-CisAuditsToMitreMap + $mitreMap.Print() + + #Tests + $mitreMap.GetType() | Should -Be "MitreMap" + $mitreMap.Map["TA0001"]["T1078"]["1.1.4"].GetType() | Should -Be 'AuditInfoStatus' + $mitreMap.Map["TA0001"]["T1078"]["1.1.4"] | Should -Be False + $mitreMap.Map["TA0006"]["T1110"]["1.2.3"] | Should -Be True + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/Tests/updateATAP.ps1 b/ATAPHtmlReport/Tests/updateATAP.ps1 new file mode 100644 index 0000000..ba42701 --- /dev/null +++ b/ATAPHtmlReport/Tests/updateATAP.ps1 @@ -0,0 +1,16 @@ +#set the directory where you are programming +$dev_directory = "$PSScriptRoot\..\.." + +#deletes the old modules, if they exist +if(Test-Path "C:\Program Files\WindowsPowerShell\Modules\ATAPAuditor") { + Remove-Item -Path "C:\Program Files\WindowsPowerShell\Modules\ATAPAuditor" -recurse +} +if(Test-Path "C:\Program Files\WindowsPowerShell\Modules\ATAPHtmlReport") { + Remove-Item -Path "C:\Program Files\WindowsPowerShell\Modules\ATAPHtmlReport" -recurse +} +#copys the new modules to the module path of powershell +Copy-Item ($dev_directory + "\ATAPAuditor") -Destination "C:\Program Files\WindowsPowerShell\Modules" -recurse +Copy-Item ($dev_directory + "\ATAPHtmlReport") -Destination "C:\Program Files\WindowsPowerShell\Modules" -recurse +#imports ATAPAuditor and ATAPHtmlReport +Import-Module ATAPAuditor -Force +Import-Module ATAPHtmlReport -Force \ No newline at end of file diff --git a/ATAPHtmlReport/report.css b/ATAPHtmlReport/report.css new file mode 100644 index 0000000..f65c09e --- /dev/null +++ b/ATAPHtmlReport/report.css @@ -0,0 +1,1203 @@ +:root { + /* === Base colors === */ + /* Raw color values without semantic meaning */ + /* ! IMPORTANT " */ + --company-red: #A81A1B; + --color-white: #ffffff; + --color-black: #000000; + --color-green: #27AE60; + --color-orange: #F39C12; + --color-grey: #95A5A6; + --color-purple: #8E44AD; + --color-blue: #1900ff; + + --color-dark-gray: #d2d2d2; /* Dont ask, lightgray is darker than gray */ + --color-light-gray: #efefef; + + /* === Semantic colors === */ + /* Use these variables in layouts and components */ + /* status true in checks*/ + --status-true: var(--color-green); + /* status false in checks*/ + --status-false: var(--company-red); + /* warning in checks */ + --status-warning: var(--color-orange); + /* neutral / status none in checks */ + --status-none: var(--color-grey); + /* critical error in checks */ + --status-error: var(--color-black); + /* github grey color*/ + --github-grey: #24292e; +} + +body { + font-family: Cambria, Georgia, serif; + margin: 0; + color: default; + background-color: default; +} + +.header { + background-color: #d2d2d2; +} + +.header svg { + margin-left: 3px; + opacity: 0.8; +} + +.content { + padding: 30px 40px; +} + +a, a:visited { + color: default; +} + +html body div.header.content { + display: flex; + justify-content: space-between; + align-items: flex-start; + padding-top: 10px; + padding-bottom: 0; + font-family: "Libre Franklin", "Helvetica Neue", helvetica, arial, sans-serif; +} + +#companyName { + font-size: 2.5rem; + color: var(--company-red); + font-weight: 900; +} + +#companySlogan { + font-size: 1rem; + color: var(--color-black); + font-weight: 600; + margin: 0; + margin-bottom: 1rem; +} + +#summary > h1:nth-child(1) { + margin-bottom: 0; +} + +#logo > p:nth-child(2) { + color: #666; + margin-top: 0; +} + +#logo { + order: 2; + padding-top: px; /* No value is being set here */ +} + +#reportInformation > ul:nth-child(2) { + padding-left: 0; +} + + + +#reportInformation > ul:nth-child(2) > li:nth-child(1) { + list-style-type: none; +} + +.header svg { + margin-left: 3px; + opacity: 0.8; +} +.header svg g path:nth-child(1), /*F*/ +.header svg g path:nth-child(2), /*B*/ +.header svg g path:nth-child(6), /*G*/ +.header svg g path:nth-child(7), /*m*/ +.header svg g path:nth-child(8), /*b*/ +.header svg g path:nth-child(9) /*H*/ +{ + fill: var(--color-black); +} + +.header h1 { + margin: 0; +} + +h1, +h2, +h3, +h4, +h5, +h6 { + font-family: 'Calibri', 'Segoe UI', sans-serif; +} + +li a { + /*display: block;*/ + font-family: Arial, sans-serif; +} + +li a:hover { + background-color: #f2f2f2; +} + +.gauge { + height: 25px; + background: var(--status-none); + border-radius: 8px; + overflow: hidden; + display: flex; +} + +.gauge .gauge-meter { + height: 100%; + flex-grow: var(--weight); + flex-shrink: 0; + flex-basis: 0; + transition: flex-grow 0.5s ease; +} + +.gauge-info { + margin: 0; + padding: 20px 0px 10px 0px; + display: flex; + justify-content: space-between; + list-style: none; +} + +.gauge-info .gauge-info-item { + flex: 1; + text-align: center; + line-height: 30px; +} + +.gauge-info .gauge-info-item span.auditstatus { + display: inline; +} + +section.collapsed > :not(:first-child) { + display: none; +} + +table { + border-collapse: collapse; + font-family: Arial, sans-serif; +} + +th, +td { + padding: 5px 10px; + text-align: left; + vertical-align: top; +} + +/* audit-info table */ +table.audit-info { + margin-left: 8%; + margin-right: 8%; + width: 90%; +} + +table.audit-info th, +table.audit-info td { + border: 1px solid #d2d2d2; +} + +table.audit-info th { + border-bottom-width: 2px; + background-color: var(--color-dark-gray); +} + +table.audit-info tr:nth-child(even) { + background-color: var(--color-light-gray); +} + +/* First column in an audit-info table */ +table.audit-info th:nth-child(1), +table.audit-info td:nth-child(1) { + text-align: left; + white-space: nowrap; + width: 40px; +} + +/* First column in an audit-info table */ +table.audit-info th:nth-child(2), +table.audit-info td:nth-child(2) { + text-align: left; + width: 50%; +} + +/* Last column in an audit-info table */ +table.audit-info th:last-child, +table.audit-info td:last-child { + text-align: center; + width: 70px; +} + +.error, +.passed, +.green, +.failed, +.red { + color: var(--color-white); +} + +.warning, +.orange { + color: var(--color-black); +} + +.passed, +.green { + background-color: var(--status-true); +} + +.failed, +.red { + background-color: var(--status-false); +} + +.warning, +.orange { + background-color: var(--status-warning); +} + +.none, +.grey { + background-color: var(--status-none); +} + +.error { + background-color: var(--status-error); +} + +h1 span.passed, +h1 span.failed, +h1 span.warning, +h2 span.passed, +h2 span.failed, +h2 span.warning, +h3 span.passed, +h3 span.failed, +h3 span.warning { + padding: 5px 10px; + border-radius: 8px; +} + +span.auditstatus { + display: block; + padding: 5px 10px; + border-radius: 8px; + font-weight: bold; + margin: auto; +} + +.sectionAction { + display: inline-block; + text-align: center; + text-decoration: none; + margin: 0 0 0 15px; + padding: 0 8px; + color: var(--color-black); + background-color: var(--color-dark-gray); + border-radius: 8px; + font-weight: bold; + cursor: pointer; + transition-duration: 500ms; +} + +.sectionAction:hover { + background-color: var(--color-light-gray); + /* color: var(--color-blue); */ +} + +#host-information { + float: left; +} + +/* Overall compliance donut chart */ + +.card { + float: right; + margin: 0 100px 0 0; + width: 250px; +} + +.donut-chart { + position: relative; + border-radius: 50%; + overflow: hidden; +} + +.donut-chart.chart { + width: 200px; + height: 200px; + background: #c6c9cc; +} + +.donut-chart .slice { + position: absolute; + top: 0; + left: 0; + width: 100%; + height: 100%; +} + +.donut-chart .chart-center { + position: absolute; + border-radius: 50%; + top: 25px; + left: 25px; + width: 150px; + height: 150px; + background: var(--color-white); +} + +.donut-chart .chart-center span { + display: block; + text-align: center; + font-size: 40px; + line-height: 150px; + color: var(--color-black); +} + + +#navigationButtons { + margin-top: 15px; + display: grid; + grid-template-rows: 50px; + grid-template-columns: repeat(6, 160px); +} + +.navButton{ + transition-duration: 500ms; + background-color: transparent; +} +.navButton:hover{ + transition-duration: 500ms; + background-color: var(--color-light-gray); +} + +.selectedNavButton{ + transition-duration: 500ms; + background-color: var(--color-orange) !important; +} + +button { + margin-left: 10px; + border-radius: 8px; + font-weight: bold; +} + +#riskScore { + font-family: Arial, sans-serif; + text-align: center; +} + +#CISA, +#MITRE { + font-family: Arial, sans-serif; +} + +#CISATable { + margin-right: 15%; + width: 85%; + border-collapse: collapse; + border: 1px solid var(--color-white); + font-family: Arial, sans-serif; +} + +.CISAMitigations { + width: 60%; +} + +.CISAMitreTechniqueIDs { + width: auto; + line-height: 1.5; +} + +.CISAMitreTechniqueIDs a { + border-radius: 0.3em; + background-color: #cc0000; + color: var(--color-white); + padding: 0.2em; + margin: 0.2em; + text-decoration: none; +} + +.CISAMitigationIDs { + width: auto; +} + +.CISAMitigationIDs a { + color: #000000; + text-decoration: none; +} + +#CISAthead { + border-bottom-width: 2px; + background-color: var(--color-dark-gray); + border: 1px solid #d2d2d2; +} + +#CISAtbody tr:nth-child(even) { + background-color: var(--color-light-gray); + border: 1px solid #d2d2d2; +} + +#CISAtbody tr td { + border: 1px solid #d2d2d2; +} + + +#MITRETable { + width: 100%; + border-collapse: collapse; + border: 1px solid var(--color-white); + font-family: Arial, sans-serif; + display: flex; + flex-direction: column; +} + +#MITREthead a { + color: var(--color-black); + text-decoration: none; + font-weight: bold; +} + +#MITREtbody a { + color: var(--color-black); + text-decoration: none; +} + +#MITREtbody tr, +#MITREthead tr { + display: flex; +} + +#MITREtbody td, +#MITREthead td { + min-width: 75px; + border: 1px solid #cccccc; + padding: 6px; + flex: 1; + flex-basis: 0; +} + +#MITREthead td { + overflow: hidden; + overflow-wrap: break-word; +} + +.MITRETechnique { + padding: 6px; + border: 1px solid var(--color-black); +} + +.tooltip { + position: relative; + display: inline-block; + border-bottom: 1px dotted var(--color-black); +} + +.tooltip .tooltiptext { + visibility: hidden; + width: 120px; + background-color: var(--color-black); + color: var(--color-white); + text-align: center; + border-radius: 6px; + padding: 5px 0; + + /* Position the tooltip */ + position: absolute; + z-index: 1; +} + +.tooltip:hover .tooltiptext { + visibility: visible; +} + +#Tip p { + font-weight: bold; + padding: 5px; +} + +.square-container { + display: flex; + align-items: center; + gap: 10px; + margin-bottom: 10px; +} + +.square { + width: 20px; + height: 20px; + border: 1px solid var(--color-black); +} + +#riskMatrixContainer { + display: grid; + position: relative; + grid-template-columns: 100px repeat(5, 60px); + grid-template-rows: repeat(6, 60px); + left: 10%; + float: left; + margin-top: 50px; + text-align: center; +} + +#riskMatrixContainer div { + border: 1px solid var(--color-black); +} + + +#severity { + grid-column-start: 1; + grid-column-end: 2; + grid-row-start: 1; + grid-row-end: 7; + position: relative; +} + +#quantity { + grid-column-start: 2; + grid-column-end: 7; + grid-row-start: 6; + grid-row-end: 7; + position: relative; +} + +#severityArea { + text-align: center; + position: absolute; + margin: 0; + top: 50%; + left: 20%; +} + +#quantityArea { + text-align: center; + position: absolute; + margin: 0; + top: 35%; + left: 40%; +} + +#severityCritical { + grid-column-start: 2; + grid-column-end: 3; + grid-row-start: 1; + grid-row-end: 2; + padding-top: 20px; +} + +#severityHigh { + grid-column-start: 2; + grid-column-end: 3; + grid-row-start: 2; + grid-row-end: 3; + padding-top: 20px; +} + +#severityMedium { + grid-column-start: 2; + grid-column-end: 3; + grid-row-start: 3; + grid-row-end: 4; + padding-top: 20px; +} + +#severityLow { + grid-column-start: 2; + grid-column-end: 3; + grid-row-start: 4; + grid-row-end: 5; + padding-top: 20px; +} + +#quantityCritical { + grid-column-start: 6; + grid-column-end: 7; + grid-row-start: 5; + grid-row-end: 6; + text-align: center; + padding-top: 20px; +} + +#quantityHigh { + grid-column-start: 5; + grid-column-end: 6; + grid-row-start: 5; + grid-row-end: 6; + text-align: center; + padding-top: 20px; +} + +#quantityMedium { + grid-column-start: 4; + grid-column-end: 5; + grid-row-start: 5; + grid-row-end: 6; + text-align: center; + padding-top: 20px; +} + +#quantityLow { + grid-column-start: 3; + grid-column-end: 4; + grid-row-start: 5; + grid-row-end: 6; + text-align: center; + padding-top: 20px; +} + +#riskMatrixContainer:nth-child(10) { + position: relative; +} + +#riskMatrixSummary:nth-child(10) { + position: relative; +} + +/* Color for each Risk */ +#medium_medium, +#medium_low, +#low_medium { + background-color: #ffc000; +} + +#high_low, +#high_medium, +#high_high, +#medium_high, +#low_high { + background-color: red; +} + +#critical_low, +#critical_medium, +#critical_high, +#critical_critical, +#high_critical, +#medium_critical, +#low_critical { + background-color: purple; +} + + +/* Low Risk */ +#low_low { + background-color: #548dd6; + grid-column-start: 3; + grid-column-end: 4; + grid-row-start: 4; + grid-row-end: 5; +} + +/* Medium Risk */ +#medium_low { + grid-column-start: 3; + grid-column-end: 4; + grid-row-start: 3; + grid-row-end: 4; +} + +#medium_medium { + grid-column-start: 4; + grid-column-end: 5; + grid-row-start: 3; + grid-row-end: 4; +} + +#low_medium { + grid-column-start: 4; + grid-column-end: 5; + grid-row-start: 4; + grid-row-end: 5; +} + +/* High Risk*/ +#high_low { + grid-column-start: 3; + grid-column-end: 4; + grid-row-start: 2; + grid-row-end: 3; +} + +#high_medium { + grid-column-start: 4; + grid-column-end: 5; + grid-row-start: 2; + grid-row-end: 3; +} + +#high_high { + grid-column-start: 5; + grid-column-end: 6; + grid-row-start: 2; + grid-row-end: 3; +} + +#medium_high { + grid-column-start: 5; + grid-column-end: 6; + grid-row-start: 3; + grid-row-end: 4; +} + +#low_high { + grid-column-start: 5; + grid-column-end: 6; + grid-row-start: 4; + grid-row-end: 5; +} + +/* Critical Risk */ +#critical_low { + grid-column-start: 3; + grid-column-end: 4; + grid-row-start: 1; + grid-row-end: 2; +} + +#critical_medium { + grid-column-start: 4; + grid-column-end: 5; + grid-row-start: 1; + grid-row-end: 2; +} + +#critical_high { + grid-column-start: 5; + grid-column-end: 6; + grid-row-start: 1; + grid-row-end: 2; +} + +#critical_critical { + grid-column-start: 6; + grid-column-end: 7; + grid-row-start: 1; + grid-row-end: 2; +} + +#high_critical { + grid-column-start: 6; + grid-column-end: 7; + grid-row-start: 2; + grid-row-end: 3; +} + +#medium_critical { + grid-column-start: 6; + grid-column-end: 7; + grid-row-start: 3; + grid-row-end: 4; +} + +#low_critical { + grid-column-start: 6; + grid-column-end: 7; + grid-row-start: 4; + grid-row-end: 5; +} + +#severityDetails { + margin-left: 8%; + margin-top: 30px; + border: 1px solid #d2d2d2; + margin-right: 8%; + float: right; + margin-bottom: 40px; +} + +#severityDetails td { + border: 1px solid #d2d2d2; +} + +#calculationTables { + float: right; + position: relative; +} + +.calculationTablesText { + text-align: left; + font-family: Arial, sans-serif; +} + +#riskScore th { + background-color: var(--color-dark-gray); +} + +#riskScore tr:nth-child(2n) td { + background-color: var(--color-light-gray); +} + + +#riskMatrixSummary { + font-family: Arial, sans-serif; + display: grid; + position: relative; + grid-template-columns: 100px repeat(5, 60px); + grid-template-rows: repeat(6, 60px); + right: 10%; + float: right; +} + +#riskMatrixSummary div { + border: 1px solid var(--color-black); +} + +#riskMatrixSummaryArea { + float: right; + text-align: center; + margin-right: 10%; +} + +/* System Information Content */ +.systemInformationContent>tr>th { + padding-left: 0; + padding-right: 0; +} + + +#testGrid { + display: grid; + grid-auto-rows: minmax(auto, auto); + row-gap: 2px; + column-gap: 2px; + font-family: 'Calibri', 'Segoe UI', sans-serif; + word-break: break-word; + white-space: normal; + align-items: start; +} + +#testGrid div { + grid-auto-rows: minmax(auto, auto); + border: 1px solid #d2d2d2; + padding: 4px 6px; + font-size: 18px; + font-family: 'Calibri', 'Segoe UI', sans-serif; + box-sizing: border-box; + overflow-wrap: anywhere; + background-clip: padding-box; + height: 100%; + align-self: stretch; +} + + +#systemData { + display: grid; + grid-template-columns: repeat(4, 100px); + grid-template-rows: repeat(10, 5%); +} + +#hardwareInformation td { + width: min-content; +} + +#systemInformation { + grid-column-start: 1; + grid-column-end: 2; + grid-row-start: 0; + grid-row-end: 1; + margin-top: 0px; +} + +#hardwareInformation { + grid-column-start: 1; + grid-column-end: 2; + grid-row-start: 1; + grid-row-end: 1; +} + +#softwareInformation { + grid-column-start: 2; + grid-column-end: 3; + grid-row-start: 1; + grid-row-end: 2; +} + +/* Dot Indicators (Positioning must be precise) */ +#dotRiskScoreTab, #dotSummaryTab { + height: 15px; + width: 15px; + background-color: var(--color-black); + border-radius: 50%; + border-style: dotted; + display: inline-block; + position: absolute; + left: 22px; + top: 22px; /* Using a single top/left definition for both */ +} + + + +/* Quantity and Severity Results Blocks */ +#quantityTable, #severityTable { + margin-right: auto; + margin-top: 30px; + border: 1px solid var(--color-black); +} + +.severityResultFalse, +.severityResultTrue, +.severityResultNone, +.severityResultError, +.severityResultWarning{ + display: block; + padding: 5px 10px; + border-radius: 8px; + font-weight: bold; + margin: auto; +} + +.severityResultFalse { + background-color: var(--status-false); + color: var(--color-white); +} + + +.severityResultTrue { + background-color: var(--status-true); + color: var(--color-white); +} + +.severityResultNone{ + background-color: var(--status-none); + color: var(--color-black); +} + +.severityResultError { + background-color: var(--status-error); + color: var(--color-light-gray); +} + +.severityResultWarning { + background-color: var(--status-warning); + color: var(--color-black); +} + +.tabContent#riskScore { + text-align: left; +} + +#severityCompliance { + margin-top: 25%; + clear: both; +} + +#complianceStatus { + padding: 5px 10px; + border-radius: 8px; + color: var(--color-white); + margin-left: 6%; + font-weight: bold; + display: inline; +} + +#referencesContainer { + display: grid; + grid-template-rows: 280px; + grid-template-columns: repeat(2, 500px); +} + +#referencesContainer div { + text-align: center; + margin-left: auto; + margin-right: auto; +} + + +#settingsOverview section { + margin-left: 2%; + margin-right: 5%; +} + +#invalidOS { + display: inline; + padding: 5px 10px; + border-radius: 8px; + font-weight: bold; + margin: auto; + background-color: #777777; +} + +#references p, #summary p, #settingsOverview p { + font-family: Arial, sans-serif; +} + +#foundationData p { + font-family: Arial, sans-serif; +} + +#foundationData section { + margin-left: 2%; + margin-right: 5%; +} + + +#hashTableDiv { + float: right; + width: 60%; + margin-bottom: 30px; +} + +#hashTableBody td { + line-height: 0px; + vertical-align: middle; +} + +#hashTable thead tr th { + vertical-align: middle; +} + +#CurrentATTCKHeatmap { + display: grid; + grid-template-columns: 20% 20% 20% 20% 20%; + grid-template-rows: 20% 20% 20% 20% 20%; + margin-top: 30px; + border: 1px solid var(--color-black); + margin-right: auto; + +} + +@media only screen and (max-width: 1900px) { + #hashTableBody td { + line-height: 17px; + vertical-align: middle; + } +} + +/* Two-column layout with flexible wrapping in the About Us section*/ +.columns-container { + display: flex; + flex-wrap: wrap; + gap: 40px; + align-items: flex-start; + justify-content: space-around; + text-align: left; + overflow-wrap: break-word; +} + +/* Left column takes about 2/3 of space */ +.left-column { + flex: 2; + min-width: 300px; +} + +/* Right column takes about 1/3 of space */ +.right-column { + flex: 1; + min-width: 300px; +} + +/* Responsive video container */ +.video-wrapper { + width: 100%; + max-width: 480px; + aspect-ratio: 16 / 9; + margin: 20px 0; +} + +.video-wrapper iframe { + width: 100%; + height: 100%; + border: none; +} + +/*bulletpoint list in the right column*/ +.hardening-ul { + font-family: "Libre Franklin", "Helvetica Neue", helvetica, arial, sans-serif; + line-height: 1.6; + margin: 0 auto; + padding: 0 20px; +} + +/* Product section layout */ +.product-block { + display: flex; + flex-wrap: wrap; + justify-content: center; + padding: 20px 0; + margin-bottom: 20px; +} + +.product-item { + display: flex; + flex-direction: column; + align-items: center; + text-align: center; + min-width: 180px; +} + +/* Contact section background and padding */ +.contact-block { + background-color: var(--color-white); + padding: 20px 0; +} + +/* Flexbox for contact items */ +.contact-flex { + display: flex; + justify-content: space-between; + gap: 30px; + margin: 0 auto; + line-height: 1.2; + padding: 0 20px; + box-sizing: border-box; +} + +/* Flexbox in columns for p elements in each contact-item*/ +.contact-item { + display: flex; + flex-direction: column; + align-items: flex-start; + text-align: left; + flex: 1; + margin: 5px 0; +} + +/* Compact spacing between paragraphs only in this contact item context*/ +.contact-item p { + margin: 4px 0; +} + +/* Button container aligned with contact section */ +.contact-buttons { + display: flex; + gap: 20px; + justify-content: flex-start; + margin-top: 20px; + max-width: 1200px; + margin-left: auto; + margin-right: auto; + padding: 0 20px; + box-sizing: border-box; +} + +/* Base button style inside contact section */ +.contact-buttons .button-base { + border-radius: 4px; + padding: 15px 25px; + margin-left: 0px; + color: var(--color-white); + box-shadow: 2px 2px var(--color-black); + border: none; + cursor: pointer; + font-size: 16px; + height: auto; +} + +/* Contact Us button, that uses the company red color */ +#contactUsButton { + background-color: var(--company-red); +} + +/*GitHub button, that uses the dark color of the GitHSub website*/ +#githubButton { + background-color: var(--github-grey); +} + +/*this is the link of the company logo in the top right corner*/ +#companyLink { + text-decoration: none; + cursor: pointer; +} \ No newline at end of file diff --git a/ATAPHtmlReport/report.js b/ATAPHtmlReport/report.js new file mode 100644 index 0000000..b73560a --- /dev/null +++ b/ATAPHtmlReport/report.js @@ -0,0 +1,278 @@ +"use strict"; + +let AmountOfNonCompliantRules; +let AmountOfCompliantRules; +let TotalAmountOfRules; +let QuantityCompliance; + +let TotalAmountOfSeverityRules; +let AmountOfFailedSeverityRules; +let SeverityCompliance; + + +const cssVars = getComputedStyle(document.documentElement); + +const COLORS = { + green: cssVars.getPropertyValue('--color-green').trim(), + red: cssVars.getPropertyValue('--company-red').trim(), + orange: cssVars.getPropertyValue('--color-orange').trim(), + purple: cssVars.getPropertyValue('--color-purple').trim(), + white: cssVars.getPropertyValue('--color-white').trim(), + blue: cssVars.getPropertyValue('--color-blue').trim(), + dark_gray: cssVars.getPropertyValue('--color-dark-gray').trim(), + light_gray: cssVars.getPropertyValue('--color-light-gray').trim() +}; + +function startConditions() { + let isRiskScoreValue = document.getElementById("riskScore"); + let isMITREValue = document.getElementById("MITRE"); + + /* Default-Value: Display summary always at the beginning */ + document.getElementById("summary").style.display = "block"; + + /* Default-Value: Disable all other tabs at the beginning */ + document.getElementById("foundationData").style.display = "none"; + document.getElementById("references").style.display = "none"; + document.getElementById("settingsOverview").style.display = "none"; + + + /* document.getElementById("summaryBtn").style.backgroundColor = COLORS.orange; + document.getElementById("foundationDataBtn").style.backgroundColor = 'transparent'; + document.getElementById("referenceBtn").style.backgroundColor = 'transparent'; + document.getElementById("settingsOverviewBtn").style.backgroundColor = 'transparent'; */ + + if (isRiskScoreValue != null) { + document.getElementById("riskScore").style.display = "none"; + /* document.getElementById("riskScoreBtn").style.backgroundColor = 'transparent'; */ + /* Initialize necessary variables */ + + AmountOfNonCompliantRules = document.getElementById("AmountOfNonCompliantRules").textContent; + AmountOfCompliantRules = document.getElementById("AmountOfCompliantRules").textContent; + TotalAmountOfRules = document.getElementById("TotalAmountOfRules").textContent; + QuantityCompliance = document.getElementById("QuantityCompliance").textContent; + TotalAmountOfSeverityRules = document.getElementById("TotalAmountOfSeverityRules").textContent; + AmountOfFailedSeverityRules = document.getElementById("AmountOfFailedSeverityRules").textContent; + + calcDotPosition(); + let severityComplianceCollapseBtn = document.getElementById("severityComplianceCollapse"); + severityComplianceCollapseBtn.addEventListener("click", () => { + if (document.getElementById("severityDetails").style.display == "none") { + document.getElementById("severityDetails").style.display = "block"; + } + else { + document.getElementById("severityDetails").style.display = "none"; + } + }) + } + + if (isMITREValue != null) { + document.getElementById("MITRE").style.display = "none"; + document.getElementById("MITREBtn").style.backgroundColor = 'transparent'; + document.getElementById("CISA").style.display = "none"; + document.getElementById("CISABtn").style.backgroundColor = 'transparent'; + } +} + + +let buttonNumber; + +function clickButton(value) { + buttonNumber = parseInt(value); + + /* Disable all content */ + let tabContents = document.getElementsByClassName('tabContent'); + for (let i = 0; i < tabContents.length; i++) { + tabContents.item(i).style.display = "none"; + } + + /* Disable all buttons */ + let buttons = document.getElementsByClassName('navButton'); + for (let i = 0; i < buttons.length; i++) { + /* buttons.item(i).style.backgroundColor = 'transparent'; */ + buttons.item(i).classList.remove("selectedNavButton"); + } + + + + /* Re-Enable fitting content / button */ + switch (buttonNumber) { + case 1: + document.getElementById("summary").style.display = "block"; + /* document.getElementById("summaryBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("summaryBtn").classList.add("selectedNavButton"); + break; + case 2: + document.getElementById("riskScore").style.display = "block"; + /* document.getElementById("riskScoreBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("riskScoreBtn").classList.add("selectedNavButton"); + calcDotPosition(); + break; + case 3: + document.getElementById("references").style.display = "block"; + /* document.getElementById("referenceBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("referenceBtn").classList.add("selectedNavButton"); + break; + case 4: + document.getElementById("settingsOverview").style.display = "block"; + /* document.getElementById("settingsOverviewBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("settingsOverviewBtn").classList.add("selectedNavButton"); + break; + case 5: + document.getElementById("foundationData").style.display = "block"; + /* document.getElementById("foundationDataBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("foundationDataBtn").classList.add("selectedNavButton"); + break; + case 6: + document.getElementById("MITRE").style.display = "block"; + /* document.getElementById("MITREBtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("MITREBtn").classList.add("selectedNavButton"); + break; + case 7: + document.getElementById("CISA").style.display = "block"; + /* document.getElementById("CISABtn").style.backgroundColor = COLORS.orange; */ + document.getElementById("CISABtn").classList.add("selectedNavButton"); + break; + } + +} + + + +/* +Calculate the position of the dot inside the risk matrix; +Will be calleed, after the user has clicked on Risk Score Button +*/ +function calcDotPosition() { + + + let dotRiskScoreTab = document.getElementById("dotRiskScoreTab"); + let dotSummaryTab = document.getElementById("dotSummaryTab"); + QuantityCompliance = parseFloat(QuantityCompliance); + + let complianceValueQuantity = 0; + let complianceValueSeverity = 0; + + /*low quantity compliance*/ + if (80 < QuantityCompliance) { + dotRiskScoreTab.style.gridColumnStart = 3; + dotSummaryTab.style.gridColumnStart = 3; + complianceValueQuantity = 1; + } + /*medium quantity compliance*/ + else if (65 < QuantityCompliance && QuantityCompliance < 80) { + dotRiskScoreTab.style.gridColumnStart = 4; + dotSummaryTab.style.gridColumnStart = 4; + complianceValueQuantity = 2; + } + /*high quantity compliance*/ + else if (50 < QuantityCompliance && QuantityCompliance < 65) { + dotRiskScoreTab.style.gridColumnStart = 5; + dotSummaryTab.style.gridColumnStart = 5; + complianceValueQuantity = 3; + } + /*critical quantity compliance*/ + else { + dotRiskScoreTab.style.gridColumnStart = 6; + dotSummaryTab.style.gridColumnStart = 6; + complianceValueQuantity = 4; + } + + + SeverityCompliance = parseInt(AmountOfFailedSeverityRules); + /*low severity compliance*/ + if (SeverityCompliance == 0) { + dotRiskScoreTab.style.gridRowStart = 4; + dotSummaryTab.style.gridRowStart = 4; + complianceValueSeverity = 1; + + + document.getElementById("complianceStatus").style.backgroundColor = COLORS.green; + } + /*critical severity compliance*/ + else { + dotRiskScoreTab.style.gridRowStart = 1; + dotSummaryTab.style.gridRowStart = 1; + complianceValueSeverity = 4; + document.getElementById("complianceStatus").style.backgroundColor = COLORS.red; + } + /* Unhide the dot now that it has been positioned */ + document.getElementById("dotSummaryTab").style.display = "inline-block"; + + let totalComplianceValue = Math.max(complianceValueQuantity, complianceValueSeverity); + + let summary = "Current Risk Score on tested System: "; + let riskResult = document.createElement("p"); + riskResult.style.display = "contents"; + if (totalComplianceValue == 1) { + riskResult.innerText = "Low"; + riskResult.style.backgroundColor = "#548dd6"; + } + else if (totalComplianceValue == 2) { + riskResult.innerText = "Medium"; + riskResult.style.backgroundColor = "#ffc000"; + } + else if (totalComplianceValue == 3) { + riskResult.innerText = "High"; + riskResult.style.color = "white"; + riskResult.style.backgroundColor = "#cc0000"; + } + else { + riskResult.innerText = "Critical"; + riskResult.style.color = "white"; + riskResult.style.backgroundColor = "purple"; + } + riskResult.style.display = "inline"; + riskResult.style.padding = "5px 10px"; + riskResult.style.borderRadius = "8px"; + riskResult.style.fontWeight = "bold"; + riskResult.style.margin = "auto"; + + let copyRiskResult = riskResult.cloneNode(); + copyRiskResult.innerText = riskResult.innerText; + + document.getElementById("CurrentRiskScore").textContent = summary; + document.getElementById("CurrentRiskScore").appendChild(riskResult); + document.getElementById("CurrentRiskScoreRS").textContent = summary; + document.getElementById("CurrentRiskScoreRS").appendChild(copyRiskResult); + +} + +/* +techniques are hidden or shown based on the status of the provided checkboxes and classes +classes must be in a compatible format for document.querySelectorAll() +examples with first all nodes in the 'orgMeasure' class and second all nodes that are in the 'MITRETechnique' but not in the 'mailVector' class: +hideMitreTechniques(this, '.orgMeasure') +hideMitreTechniques(this, '.MITRETechnique:not(.mailVector)') +*/ +let activeFilter = new Array(); +function hideMitreTechniques(checkbox, classes) { + let classElements = document.querySelectorAll(classes); + if (checkbox.checked) { + /* push the current classes into the activeFilter array to determine which filters are currently active. */ + activeFilter.push(classes); + for (let i = 0; i < classElements.length; i++) { + classElements[i].style.padding = '0.1em'; + + const children = classElements[i].querySelectorAll('*'); + for (let j = 0; j < children.length; j++) { + children[j].style.display = 'none'; + } + } + } + else { + activeFilter.splice(activeFilter.indexOf(classes), 1); + /* create an array from the classElements since it makes filtering easier. */ + let elementsToHide = Array.from(classElements); + /* create an array that includes all elements from the remaining active filters */ + let elementsNotToHide = (activeFilter.length === 0) ? new Array() : Array.from(document.querySelectorAll(activeFilter)); + /* filter the elementsToHide array to retrieve and display only the elements that are not hidden by other filters */ + elementsToHide = elementsToHide.filter(element => !elementsNotToHide.includes(element)); + for (let i = 0; i < elementsToHide.length; i++) { + elementsToHide[i].style.removeProperty('padding'); + const children = elementsToHide[i].querySelectorAll('*'); + for (let j = 0; j < children.length; j++) { + children[j].style.removeProperty('display'); + } + } + } +} \ No newline at end of file diff --git a/ATAPHtmlReport/resources/CISToAttackMappingData.json b/ATAPHtmlReport/resources/CISToAttackMappingData.json new file mode 100644 index 0000000..86c1c72 Binary files /dev/null and b/ATAPHtmlReport/resources/CISToAttackMappingData.json differ diff --git a/ATAPHtmlReport/runATAP.ps1 b/ATAPHtmlReport/runATAP.ps1 new file mode 100644 index 0000000..2c7712f --- /dev/null +++ b/ATAPHtmlReport/runATAP.ps1 @@ -0,0 +1,42 @@ +#set the directory where you want to save the reports +$report_directory = "~\Documents\ATAPReports" +#enter which report you want to execute +$report_name = "Microsoft Windows 10" +#saves old working directory +$old_pwd = $pwd + +#to access the report file later, "Microsoft" has to be cut out of the String +if($report_name.Contains("Microsoft")) { + $report = $report_name.Substring(10, ($report_name.Length-10)) +} +else { + $report = $report_name +} + +#starts generating the HTML report +Save-ATAPHtmlReport $report_name -Path $report_directory -MITRE + +#enters the report_directory and searchs for the newest report of the kind set above +Set-Location $report_directory +if ($null -eq (Get-ChildItem -Name)) { + Write-Output 'Error no report could be generated.' +} +elseif((Get-ChildItem -Name).GetType().Name -eq 'String') { + $file = Get-ChildItem -Name + #opens the report with the standard appplication set in windows + Start-Process -FilePath $file + #goes back to the old working directory + Set-Location $old_pwd +} +elseif((Get-ChildItem -Name).GetType().Name -eq 'Object[]') { + $i = ((Get-ChildItem -Name).Length)-1 + $file = $report_directory + "\" + (Get-ChildItem -Name)[$i] + while(!$file.Contains($report)) { + $i = $i - 1 + $file = $report_directory + "\" + (Get-ChildItem -Name)[$i] + } + #opens the report with the standard appplication set in windows + Start-Process -FilePath $file + #goes back to the old working directory + Set-Location $old_pwd +} \ No newline at end of file diff --git a/FAQ/images/FAQ_print backgrounds.PNG b/FAQ/images/FAQ_print backgrounds.PNG new file mode 100644 index 0000000..14e6aed Binary files /dev/null and b/FAQ/images/FAQ_print backgrounds.PNG differ diff --git a/FAQ/images/readme.md b/FAQ/images/readme.md new file mode 100644 index 0000000..8373703 --- /dev/null +++ b/FAQ/images/readme.md @@ -0,0 +1 @@ +Folder to contain all images and screenshots for FAQ section. diff --git a/FAQ/readme.md b/FAQ/readme.md new file mode 100644 index 0000000..fcf64a2 --- /dev/null +++ b/FAQ/readme.md @@ -0,0 +1,51 @@ +# Frequently Asked Questions +This section is dedicated to an ever-growing list of frequently asked questions + +### Table of contents + + - [When printing html to PDF, color-scheme-formatting is lost](#when-printing-html-to-pdf-color-scheme-formatting-is-lost-back-to-toc) + - [Can we add specific exclusions to be more compliant?](#can-we-add-specific-exclusions-to-be-more-compliant-back-to-toc) + - [When downloading my anti virus scanner detects malicious behavior. What does that mean?](#when-downloading-my-anti-virus-scanner-detects-malicious-behavior-what-does-that-mean) + - [Why is PowerShell console stating commandlet "Save-ATAPHtmlReport" was not found in the module "ATAPAuditor"?](#why-is-powershell-console-stating-commandlet-save-ataphtmlreport-was-not-found-in-the-module-atapauditor-back-to-toc) + - [How long does it take to create a report from AuditTAP?](#how-long-does-it-take-to-create-a-report-from-audittap) + + +#### When printing html to PDF, color-scheme-formatting is lost [[Back to TOC]](https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/FAQ/readme.md#table-of-contents) + +It's not a bug, it's a feature of modern browsers to save ink. As per default, the option to print backgrounds is disabled. +To enable this, expand the section "more settings" and enable "Print backgrounds" (Firefox) / "Background graphics" (Google Chrome). + +The following screenshot shows this for Firefox browser. +![image](https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/FAQ/images/FAQ_print%20backgrounds.PNG) + + +#### Can we add specific exclusions to be more compliant? [[Back to TOC]](https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/FAQ/readme.md#table-of-contents) + +The scenario often described is as follows: Customer uses another antimalware tool than Microsoft Defender. So all Defender related rules will be non compliant as Microsoft Defender is not in "active mode". This leads to higher "non compliance value". +At this point of time it is not possible to add ecxlusions or rationals. AuditTAP was designed to be easy to handle and create fast, transparent reports. We are thinking about enhancing the product in this direction - but this is not a short term feature change. + + +#### When downloading my anti virus scanner detects malicious behavior. What does that mean? + +For AuditTAP we are using an open source installer called 'Inno Setup' provided by Jordan Russell. This installer can be detected as a malicious file, which is not the case. This is a common problem which happened to other software providers as well. Here is a link to a stackoverflow question about this topic: +https://stackoverflow.com/questions/68834409/program-installed-with-inno-setup-seen-as-trojan-wacatac-bml +If you don't trust this installer at all, you can of course install our tool via PowerShell Gallery or by importing both modules via PowerShell. + +#### Why is PowerShell console stating commandlet "Save-ATAPHtmlReport" was not found in the module "ATAPAuditor"? [[Back to TOC]](https://github.com/fbprogmbh/Audit-Test-Automation/blob/master/FAQ/readme.md#table-of-contents) + +This happens in case PowerShell "Constrained Language Mode" is activated and execution policy is set to "AllSigned". A simple change of execution policy will help here. We recommend to change it only for the single PowerShell session and not permanent for system or user. The following PowerShell will do the trick: + +``` +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process +``` + +The following Screenshot shows error and solution: +![image](https://user-images.githubusercontent.com/23223285/216938169-b92200d4-645b-442c-8d00-de46328e75a0.png) + + + +#### How long does it take to create a report from AuditTAP? +Depending on the size of the report you want to create, the time it takes to create varies. Here are some measurements: +* ~ 50 seconds (Google Chrome) +* ~ 2 minutes 30 seconds (Microsoft Windows 10) +Each Audit-Test takes some time and depending on the amount of tests, the final report needs some time to finalise. diff --git a/Installer/.gitignore b/Installer/.gitignore new file mode 100644 index 0000000..7152825 --- /dev/null +++ b/Installer/.gitignore @@ -0,0 +1,2 @@ +atap-packaged/ +*.iss \ No newline at end of file diff --git a/Installer/LICENSE b/Installer/LICENSE new file mode 100644 index 0000000..f385a47 --- /dev/null +++ b/Installer/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2023, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Installer/icons/AT.ico b/Installer/icons/AT.ico new file mode 100644 index 0000000..8bc8a54 Binary files /dev/null and b/Installer/icons/AT.ico differ diff --git a/Installer/icons/AT1024.png b/Installer/icons/AT1024.png new file mode 100644 index 0000000..f77d8fe Binary files /dev/null and b/Installer/icons/AT1024.png differ diff --git a/Installer/icons/AT1024_source.xcf b/Installer/icons/AT1024_source.xcf new file mode 100644 index 0000000..388a0b1 Binary files /dev/null and b/Installer/icons/AT1024_source.xcf differ diff --git a/Installer/icons/AT128.png b/Installer/icons/AT128.png new file mode 100644 index 0000000..be44362 Binary files /dev/null and b/Installer/icons/AT128.png differ diff --git a/Installer/icons/AT16.png b/Installer/icons/AT16.png new file mode 100644 index 0000000..3c0a6b2 Binary files /dev/null and b/Installer/icons/AT16.png differ diff --git a/Installer/icons/AT256.png b/Installer/icons/AT256.png new file mode 100644 index 0000000..600bc57 Binary files /dev/null and b/Installer/icons/AT256.png differ diff --git a/Installer/icons/AT32.png b/Installer/icons/AT32.png new file mode 100644 index 0000000..9357f80 Binary files /dev/null and b/Installer/icons/AT32.png differ diff --git a/Installer/icons/AT512.png b/Installer/icons/AT512.png new file mode 100644 index 0000000..79fe26f Binary files /dev/null and b/Installer/icons/AT512.png differ diff --git a/Installer/icons/AT64.png b/Installer/icons/AT64.png new file mode 100644 index 0000000..0f14587 Binary files /dev/null and b/Installer/icons/AT64.png differ diff --git a/Installer/setup.exe b/Installer/setup.exe new file mode 100644 index 0000000..1ebeda2 Binary files /dev/null and b/Installer/setup.exe differ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..417711f --- /dev/null +++ b/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2018, FB Pro GmbH +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +* Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Samples/Google Chrome_20220902_134320.html b/Samples/Google Chrome_20220902_134320.html new file mode 100644 index 0000000..175aab3 --- /dev/null +++ b/Samples/Google Chrome_20220902_134320.html @@ -0,0 +1,15 @@ +Google Chrome Audit Report [09/02/2022 13:43:23]

Google Chrome Audit Report

Settings Overview

Table Of Content

Click the link(s) below for quick access to a report section.

CIS Recommendations-

This section contains all CIS recommendations

Registry Settings/Group Policies-

IdTaskMessageStatus
1.1.1(L1) Ensure 'Enable curtaining of remote access hosts' is set to 'Disabled'CompliantTrue
1.1.2(L1) Ensure 'Allow gnubby authentication for remote access hosts' is set to 'Disabled'.CompliantTrue
1.1.3(L1) Ensure 'Allow remote users to interact with elevated windows in remote assistance sessions' is set to 'Disabled'CompliantTrue
1.2(L1) Ensure 'Continue running background apps when Google Chrome is closed' is set to 'Disabled'CompliantTrue
1.3(L1) Ensure 'Ask where to save each file before downloading' is set to 'Enabled'CompliantTrue
1.4(L1) Ensure 'Disable saving browser history' is set to 'Disabled'CompliantTrue
1.5(L1) Ensure 'Enable HTTP/0.9 support on non-default ports' is set to 'Disabled'CompliantTrue
1.6(L1) Ensure 'Enable component updates in Google Chrome' is set to 'Enabled'CompliantTrue
1.7(L1) Ensure 'Enable deprecated web platform features for a limited time' is set to 'Disabled'Compliant. Registry key not found.True
1.8(L1) Ensure 'Enable third party software injection blocking' is set to 'Enabled'CompliantTrue
1.9(L1) Ensure 'Extend Flash content setting to all content' is set to 'Disabled'CompliantTrue
1.10(L1) Ensure 'Suppress the unsupported OS warning' is set to 'Disabled'CompliantTrue
1.11(L1) Ensure 'Whether online OCSP/CRL checks are performed' is set to 'Disabled'CompliantTrue
1.12(L1) Ensure 'Allow WebDriver to Override Incompatible Policies' is set to 'Disabled'CompliantTrue
1.13(L1) Ensure 'Control SafeSites adult content filtering' is set to 'Enabled' with value 'Do not filter sites for adult content' specifiedCompliantTrue
1.14(L1) Ensure 'Origins or hostname patterns for which restrictions on insecure origins should not apply' is set to 'Disabled'Compliant. Registry key not found.True
1.15(L1) Ensure 'Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities' is set to 'Disabled'Compliant. Registry key not found.True
1.16(L1) Ensure 'Disable Certificate Transparency enforcement for a list of URLs' is set to 'Disabled'Compliant. Registry key not found.True
1.17(L1) Ensure 'Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes' is set to 'Disabled'Compliant. Registry key not found.True
2.1(L1) Ensure 'Default Flash Setting' is set to 'Enabled' (Click to Play)CompliantTrue
2.2(L2) Ensure 'Default notification setting' is set to 'Enabled' with 'Do not allow any site to show desktop notifications'CompliantTrue
2.3(L2) Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled' with 'Do not allow any site to request access to Bluetooth devices via the Web Bluetooth API'CompliantTrue
2.4(L2) Ensure 'Control use of the WebUSB API' is set to 'Enabled' with 'Do not allow any site to request access to USB devices via the WebUSB API'CompliantTrue
2.5(L1) Ensure 'Configure extension installation blacklist' is set to 'Enabled' ("*" for all extensions)CompliantTrue
2.6.1(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the values 'extension' specifiedCompliantTrue
2.6.2(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'hosted_app'specifiedCompliantTrue
2.6.3(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'platform_app' specifiedCompliantTrue
2.6.4(L1) Ensure 'Configure allowed app/extension types' is set to 'Enabled' with the value 'theme'specifiedCompliantTrue
2.7(L2) Ensure 'Configure native messaging blacklist' is set to 'Enabled' ("*" for all messaging applications)CompliantTrue
2.8(L1) Ensure 'Enable saving passwords to the password manager' is ConfiguredCompliantTrue
2.9(L1) Ensure 'Supported authentication schemes' is set to 'Enabled' (ntlm, negotiate)CompliantTrue
2.10(L1) Ensure 'Choose how to specify proxy server settings' is not set to 'Enabled' with 'Auto detect proxy settings'CompliantTrue
2.11(L1) Ensure 'Allow running plugins that are outdated' is set to 'Disabled'CompliantTrue
2.12(L1) Ensure 'Enable Google Cloud Print Proxy' is set to 'Disabled'CompliantTrue
2.13(L1) Ensure 'Enable Site Isolation for every site' is set to 'Enabled'CompliantTrue
2.14(L1) Ensure 'Allow download restrictions' is set to 'Enabled' with 'Block dangerous downloads' specified.CompliantTrue
2.15(L1) Ensure 'Disable proceeding from the Safe Browsing warning page' is set to 'Enabled'CompliantTrue
2.16(L1) Ensure 'Notify a user that a browser relaunch or device restart is recommended or required' is set to 'Enabled' with 'Show a recurring prompt to the user indication that a relaunch is required' specifiedCompliantTrue
2.17(L1) Ensure 'Set the time period for update notifications' is set to 'Enabled' with '86400000' (1 day) specifiedCompliantTrue
2.18(L2) Ensure 'Whether online OCSP/CRL checks are required for local trust anchors' is set to 'Enabled'CompliantTrue
2.19(L1) Ensure 'Enable Chrome Cleanup on Windows' is ConfiguredCompliantTrue
2.20(L2) Ensure 'Use built-in DNS client' is set to 'Disabled'CompliantTrue
2.21(L1) Ensure 'Update policy override' is set to 'Enabled' with 'Always allow updates (recommended)' or 'Automatic silent updates' specifiedCompliantTrue
3.1(L2) Ensure 'Default cookies setting' is set to 'Enabled' (Keep cookies for the duration of the session)CompliantTrue
3.2(L1) Ensure 'Default geolocation setting' is set to 'Enabled' with 'Do not allow any site to track the users' physical location'CompliantTrue
3.3(L1) Ensure 'Enable Google Cast' is set to 'Disabled'CompliantTrue
3.4(L1) Ensure 'Block third party cookies' is set to 'Enabled'CompliantTrue
3.5(L1) Ensure 'Enable reporting of usage and crash-related data' is set to 'Disabled'CompliantTrue
3.6(L1) Ensure 'Control how Chrome Cleanup reports data to Google' is set to 'Disabled'CompliantTrue
3.7(L1) Ensure 'Browser sign in settings' is set to 'Enabled' with 'Disabled browser sign-in' specifiedCompliantTrue
3.8(L1) Ensure 'Enable Translate' is set to 'Disabled'CompliantTrue
3.9(L1) Ensure 'Enable network prediction' is set to 'Enabled' with 'Do not predict actions on any network connection' selectedCompliantTrue
3.10(L1) Ensure 'Enable search suggestions' is set to 'Disabled'CompliantTrue
3.11(L1) Ensure 'Enable or disable spell checking web service' is set to 'Disabled'CompliantTrue
3.12(L1) Ensure 'Enable alternate error pages' is set to 'Disabled'CompliantTrue
3.13(L1) Ensure 'Disable synchronization of data with Google' is set to 'Enabled'CompliantTrue
3.14(L1) Ensure 'Enable Safe Browsing for trusted sources' is set to 'Disabled'CompliantTrue
3.15(L1) Ensure 'Enable URL-keyed anonymized data collection' is set to 'Disabled'CompliantTrue
3.16(L1) Ensure 'Enable deleting browser and download history' is set to 'Disabled'CompliantTrue
4.1.1(L1) Ensure 'Enable firewall traversal from remote access host' is set to 'Disabled'CompliantTrue
4.1.2(L1) Ensure 'Enable or disable PIN-less authentication for remote access hosts' is set to 'Disabled'CompliantTrue
4.1.3(L1) Ensure 'Enable the use of relay servers by the remote access host' is set to 'Disabled'.CompliantTrue
4.1.4(L1) Ensure 'Configure the required domain names for remote access clients' is set to 'Enabled' with a domain definedCompliantTrue
5.1(L1) Ensure 'Enable submission of documents to Google Cloud print' is set to 'Disabled'CompliantTrue
5.2(L1) Ensure 'Import saved passwords from default browser on first run' is set to 'Disabled'CompliantTrue
5.3(L1) Ensure 'Enable AutoFill for credit cards' is set to 'Disabled'CompliantTrue
5.4(L1) Ensure 'Enable AutoFill for addresses' is set to 'Disabled'CompliantTrue

DISA Recommendations-

This section contains all DISA recommendations

Registry Settings/Group Policies-

IdTaskMessageStatus
DTBC-0001Firewall traversal from remote host must be disabled.CompliantTrue
DTBC-0003Sites ability for showing desktop notifications must be disabled.CompliantTrue
DTBC-0004Sites ability to show pop-ups must be disabled.Registry value not found.False
DTBC-0002Site tracking users location must be disabled.CompliantTrue
DTBC-0005Extensions installation must be blacklisted by default.CompliantTrue
DTBC-0006Extensions that are approved for use must be whitelisted.Registry key not found.False
DTBC-0009Default search provider must be enabled.Registry value not found.False
DTBC-0011The Password Manager must be disabled.Registry value is '1'. Expected: 0False
DTBC-0013The running of outdated plugins must be disabled.CompliantTrue
DTBC-0015Third party cookies must be blocked.CompliantTrue
DTBC-0017Background processing must be disabled.CompliantTrue
DTBC-00193D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.)Registry value not found.False
DTBC-0020Google Data Synchronization must be disabled.CompliantTrue
DTBC-0021The URL protocol schema javascript must be disabled.Registry key not found.False
DTBC-0023Cloud print sharing must be disabled.CompliantTrue
DTBC-0025Network prediction must be disabled.CompliantTrue
DTBC-0026Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.)CompliantTrue
DTBC-0027Search suggestions must be disabled.CompliantTrue
DTBC-0029Importing of saved passwords must be disabled.CompliantTrue
DTBC-0030Incognito mode must be disabled.Registry value not found.False
DTBC-0037Online revocation checks must be done.Registry value is '0'. Expected: 1False
DTBC-0038Safe Browsing must be enabled.Registry value not found.False
DTBC-0039Browser history must be saved.CompliantTrue
DTBC-0040Default behavior must block webpages from automatically running plugins.CompliantTrue
DTBC-0051URLs must be whitelisted for plugin useRegistry value not found.False
DTBC-0052Deletion of browser history must be disabled.CompliantTrue
DTBC-0053Prompt for download location must be enabled.CompliantTrue
DTBC-0064Autoplay must be disabled.Registry value not found.False
DTBC-0056Chrome must be configured to allow only TLS.Registry value not found.False
DTBC-0057Safe Browsing Extended Reporting must be disabled.Registry value not found.False
DTBC-0058WebUSB must be disabled.CompliantTrue
DTBC-0060Chrome Cleanup must be disabled.Registry value is '1'. Expected: 0False
DTBC-0061Chrome Cleanup reporting must be disabled.CompliantTrue
DTBC-0063Google Cast must be disabled.CompliantTrue
DTBC-0066Anonymized data collection must be disabled.CompliantTrue
DTBC-0067Collection of WebRTC event logs must be disabled.Registry value not found.False

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.1 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • CIS Google Chrome Benchmark, Version: 2.0.0, Date: 2019-05-17
  • DISA Google Chrome Security Technical Implementation Guide, Version: V1R15, Date: 2019-01-28

This report was generated on 09/02/2022 13:43:23 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.

System information

HostnameDESKTOP-UTMU75K.fb-pro.com
Domain roleMember Workstation
Operating SystemMicrosoft Windows 10 Pro
Build Number19044
Installation LanguageEnglish (United States)
Free disk space (GB)29.1
Free physical memory (GB)13.8% (2.7 GB / 19.7 GB)

Current Risk Score on tested System: N/A

Risk Score calculation implemented for Microsoft Windows OS for now.

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 103 tests have been executed.

  1. True 88 test(s) ≙ 85.44%
  2. False 15 test(s) ≙ 14.56%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

CIS Recommendations

A total of 67 tests have been executed in section CIS Recommendations.

  1. True 67 test(s) ≙ 100.00%
  2. False 0 test(s) ≙ 0.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 36 tests have been executed in section DISA Recommendations.

  1. True 21 test(s) ≙ 58.33%
  2. False 15 test(s) ≙ 41.67%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
85% < XLow
70% < X < 85%Medium
55% < X < 70%High
X < 55%Critical
Compliance to Benchmarks (Severity)Risk Assessment
X = 0Low
X > 1Critical

Severity Compliance

-
IdTaskStatus
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'False
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'False
18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'True
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)True
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)True
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)True
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)True
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)True
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)True
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))True
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)True
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)True
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)True
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)True
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)False
7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)True
7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)True
7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)True
7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)True
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'True
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'False
18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'True
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'True
18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'True
18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'True
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'True
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'True
2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)True
3.1.1_1Configuration of the lowest possible telemetry-level (Enterprise Windows 10)True
3.1.1_2Configuration of the lowest possible telemetry-level (Non-Enterprise Windows 10)None
3.1.2.1Deactivation of the telemetry service and ETW-sessions - disable service DiagTrackTrue
3.1.2.2Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diatrack-ListenerTrue
3.1.3.1.1Deactivation of telemetry according to Microsoft - Windows UpdateFalse
3.1.3.1.2Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPSTrue
3.1.3.1.3Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample filesTrue

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

diff --git a/Samples/Microsoft IIS10_20220905_052811.html b/Samples/Microsoft IIS10_20220905_052811.html new file mode 100644 index 0000000..31afe45 --- /dev/null +++ b/Samples/Microsoft IIS10_20220905_052811.html @@ -0,0 +1,21 @@ +IIS 10 Benchmarks [09/05/2022 05:28:18]

IIS 10 Benchmarks

Settings Overview

Table Of Content

Click the link(s) below for quick access to a report section.

System Report-

IdTaskMessageStatus
1.5Ensure 'unique application pools' is set for sitesAll GoodTrue
2.7Ensure 'passwordFormat' is not set to clearAll GoodTrue
2.8Ensure 'credentials' are not stored in configuration filesAll GoodTrue
3.1Ensure 'deployment method retail' is setretail is not enabled in machine.configFalse
3.5Ensure ASP.NET stack tracing is not enabledAll GoodTrue
4.9Ensure 'notListedIsapisAllowed' is set to falseAll GoodTrue
4.10Ensure 'notListedCgisAllowed' is set to falseAll GoodTrue
5.2Ensure Advanced IIS logging is enabledAdvanced Logging is not available for IIS 10. See enhanced logging instead.None
6.1Ensure FTP requests are encryptedSkipped this benchmark - right now Web-Ftp-Server is not installedNone
6.2Ensure FTP Logon attempt restrictions is enabledSkipped this benchmark - right now Web-Ftp-Server is not installedNone
7.2Ensure SSLv2 is disabledAll GoodTrue
7.3Ensure SSLv3 is disabledAll GoodTrue
7.4Ensure TLS 1.0 is disabledTLS 1.0 is enabledFalse
7.5Ensure TLS 1.1 is disabledTLS 1.1 is enabledFalse
7.6Ensure TLS 1.2 is enabledAll GoodTrue
7.7Ensure NULL Cipher Suites is disabledAll GoodTrue
7.8Ensure DES Cipher Suites is disabledAll GoodTrue
7.9.1Ensure RC4 Cipher Suites is disabledAll GoodTrue
7.9.2Ensure RC4 Cipher Suites is disabledAll GoodTrue
7.9.3Ensure RC4 Cipher Suites is disabledAll GoodTrue
7.9.4Ensure RC4 Cipher Suites is disabledAll GoodTrue
7.10Ensure AES 128/128 Cipher Suite is disabledAES 128/128 Cipher Suite is still enabledFalse
7.11Ensure AES 256/256 Cipher Suite is enabledAll GoodTrue
7.12.1Ensure TLS Cipher Suite ordering is correctly configuredTLS Cipher Suite ordering does not match referenceFalse
7.12.2Ensure TLS Cipher Suite does not contain more ciphersTLS Cipher Suite contains more ciphersFalse

ApplicationHost-

IdTaskMessageStatus
1.3Ensure 'directory browsing' is set to disabledAll GoodTrue
1.6Ensure 'application pool identity' is configured for anonymous user identityUsername is set to: IUSRFalse
2.1Ensure 'global authorization rule' is set to restrict accessURL Authorization is not installedWarning
2.2Ensure access to sensitive site features is restricted to authenticated principals onlyAll GoodTrue
2.3Ensure 'forms authentication' require SSLForms authentication is not installedWarning
2.4Ensure 'forms authentication' is set to use cookiesForms authentication is not installedWarning
2.5Ensure 'cookie protection mode' is configured for forms authenticationForms authentication is not installedWarning
2.7Ensure 'passwordFormat' is not set to clearAll GoodTrue
2.8Ensure 'credentials' are not stored in configuration filesAll GoodTrue
3.2Ensure 'debug' is turned offAll GoodTrue
3.3Ensure custom error messages are not offAll GoodTrue
3.4Ensure IIS HTTP detailed errors are hidden from displaying remotelyAll GoodTrue
3.5Ensure ASP.NET stack tracing is not enabledAll GoodTrue
3.6Ensure 'httpcookie' mode is configured for session stateAll GoodTrue
4.1Ensure 'maxAllowedContentLength' is configuredAll Good + maxContentLength: 30000000True
4.2Ensure 'maxURL request filter' is configuredAll Good + maxURLRequestFilter: 4096True
4.3Ensure 'MaxQueryString request filter' is configuredAll Good + maxQueryStringRequestFilter: 2048True
4.4Ensure non-ASCII characters in URLs are not allowednon-ASCII characters in URLs are allowedFalse
4.5Ensure Double-Encoded requests will be rejectedAll GoodTrue
4.6Ensure 'HTTP Trace Method' is disabledHTTP Trace Method is not filteredFalse
4.7Ensure Unlisted File Extensions are not allowedUnlisted file extensions allowedFalse
4.8Ensure Handler is not granted Write and Script/ExecuteAll GoodTrue
7.1Ensure HSTS Header is setHSTS Header not setFalse

Full site report for: Default Web Site-

IdTaskMessageStatus
1.1Ensure web content is on non-system partitionWeb content is on system partitionFalse
1.2Ensure 'host headers' is setThe following bindings do no specify a host: *:80:False
1.4Ensure 'application pool identity' is configuredAll GoodTrue
2.6Ensure transport layer security for 'basic authentication' is configuredAll GoodTrue
3.8Ensure 'MachineKey validation method - .Net 3.5' is configuredAll GoodTrue
3.9Ensure 'MachineKey validation method - .Net 4.5' is configuredValidation set to SHA1False
3.10Ensure global .NET trust level is configuredThis only applies to .Net 2.0. Future versions have stopped supporting this feature.None
4.11Ensure 'Dynamic IP Address Restrictions' is enabled"IP and Domain Restrictions" must be installed to enabled "Dynamic IP Address Restrictions"False
5.1Ensure Default IIS web log location is movedLogfile location is on system drive: C:\inetpub\logs\LogFilesFalse
5.3Ensure 'ETW Logging' is enabledETW Logging disabledFalse

Report for: /-

IdTaskMessageStatus
1.3Ensure 'directory browsing' is set to disabledAll GoodTrue
1.6Ensure 'application pool identity' is configured for anonymous user identityUsername is set to: IUSRFalse
2.1Ensure 'global authorization rule' is set to restrict accessURL Authorization is not installedWarning
2.2Ensure access to sensitive site features is restricted to authenticated principals onlyAll GoodTrue
2.3Ensure 'forms authentication' require SSLForms authentication is not installedWarning
2.4Ensure 'forms authentication' is set to use cookiesForms authentication is not installedWarning
2.5Ensure 'cookie protection mode' is configured for forms authenticationForms authentication is not installedWarning
2.7Ensure 'passwordFormat' is not set to clearAll GoodTrue
2.8Ensure 'credentials' are not stored in configuration filesAll GoodTrue
3.2Ensure 'debug' is turned offAll GoodTrue
3.3Ensure custom error messages are not offAll GoodTrue
3.4Ensure IIS HTTP detailed errors are hidden from displaying remotelyAll GoodTrue
3.5Ensure ASP.NET stack tracing is not enabledAll GoodTrue
3.6Ensure 'httpcookie' mode is configured for session stateAll GoodTrue
3.7Ensure 'cookies' are set with HttpOnly attributehttpOnlyCookies set to FalseFalse
4.1Ensure 'maxAllowedContentLength' is configuredAll Good + maxContentLength: 30000000True
4.2Ensure 'maxURL request filter' is configuredAll Good + maxURLRequestFilter: 4096True
4.3Ensure 'MaxQueryString request filter' is configuredAll Good + maxQueryStringRequestFilter: 2048True
4.4Ensure non-ASCII characters in URLs are not allowednon-ASCII characters in URLs are allowedFalse
4.5Ensure Double-Encoded requests will be rejectedAll GoodTrue
4.6Ensure 'HTTP Trace Method' is disabledHTTP Trace Method is not filteredFalse
4.7Ensure Unlisted File Extensions are not allowedUnlisted file extensions allowedFalse
4.8Ensure Handler is not granted Write and Script/ExecuteAll GoodTrue
7.1Ensure HSTS Header is setHSTS Header not setFalse

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft IIS 10 Benchmark, Version: 1.1.0, Date: 12-11-2018

This report was generated on 09/05/2022 05:28:18 on WIN-T74AI7HCI62 with ATAPHtmlReport version 1.8.

System information

HostnameWIN-T74AI7HCI62
Domain roleStandalone Server
Operating SystemMicrosoft Windows Server 2022 Standard Evaluation
Build Number20348
Installation LanguageEnglish (United States)
Free disk space (GB)7.9
Free physical memory (GB)13.5% (0.5 GB / 3.8 GB)

Current Risk Score on tested System:

N/A

Risk Score calculation implemented for Microsoft Windows OS for now.

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 82 tests have been executed.

  1. True 47 test(s) ≙ 57.32%
  2. False 23 test(s) ≙ 28.05%
  3. Warning 8 test(s) ≙ 9.76%
  4. None 4 test(s) ≙ 4.88%
  5. Error 0 test(s) ≙ 0.00%

System Report

A total of 25 tests have been executed in section System Report.

  1. True 16 test(s) ≙ 64.00%
  2. False 6 test(s) ≙ 24.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 3 test(s) ≙ 12.00%
  5. Error 0 test(s) ≙ 0.00%

ApplicationHost

A total of 23 tests have been executed in section ApplicationHost.

  1. True 14 test(s) ≙ 60.87%
  2. False 5 test(s) ≙ 21.74%
  3. Warning 4 test(s) ≙ 17.39%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Full site report for: Default Web Site

A total of 34 tests have been executed in section Full site report for: Default Web Site.

  1. True 17 test(s) ≙ 50.00%
  2. False 12 test(s) ≙ 35.29%
  3. Warning 4 test(s) ≙ 11.76%
  4. None 1 test(s) ≙ 2.94%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
More than 85%Low
Between 70% and 85%Medium
Between 55% and 70%High
Less than 55%Critical
Compliance to Benchmarks (Severity)Risk Assessment
All critical settings compliantLow
1 or more incompliant setting(s)Critical

Severity Compliance

-
IdTaskStatus
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True
2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)True
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'False
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True
7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)False
7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)False
7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)False
7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'False
18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'False
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'False
18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'False
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'False
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'False
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'False
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)False
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)False
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)False
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)False
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)False
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)False
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))False
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)False
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)False
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)False
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)False
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)False
18.9.48.11Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'False
18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'False
18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'False

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

diff --git a/Samples/Microsoft Windows 10 All.html b/Samples/Microsoft Windows 10 All.html new file mode 100644 index 0000000..c3b008d --- /dev/null +++ b/Samples/Microsoft Windows 10 All.html @@ -0,0 +1,35 @@ +Windows 10 Report [12/07/2022 10:32:32]

Windows 10 Report

Hardening Settings

Table Of Contents

Click the link(s) below for quick access to a report section.

Benchmark Details

CIS Benchmarks-

This section contains the CIS Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1.1.6(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'CompliantTrue
2.3.1.2(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
2.3.1.4(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'CompliantTrue
2.3.2.1(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
2.3.2.2(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
2.3.4.1(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'CompliantTrue
2.3.4.2(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
2.3.6.1(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
2.3.6.2(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.3(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.4(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
2.3.6.5(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
2.3.6.6(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
2.3.7.1(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'CompliantTrue
2.3.7.2(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'CompliantTrue
2.3.7.3(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
2.3.7.4(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
2.3.7.5(L1) Configure 'Interactive logon: Message text for users attempting to log on'CompliantTrue
2.3.7.6(L1) Configure 'Interactive logon: Message title for users attempting to log on'CompliantTrue
2.3.7.7(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
2.3.7.8(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'CompliantTrue
2.3.7.9(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higherCompliantTrue
2.3.8.1(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.8.2(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
2.3.8.3(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
2.3.9.1(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
2.3.9.2(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.9.3(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
2.3.9.4(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
2.3.9.5(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higherCompliantTrue
2.3.10.1(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
2.3.10.2(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
2.3.10.3(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
2.3.10.4(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
2.3.10.5(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
2.3.10.6(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.7(L1) Ensure 'Network access: Remotely accessible registry paths' is configuredCompliantTrue
2.3.10.8(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configuredCompliantTrue
2.3.10.9(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
2.3.10.10(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
2.3.10.11(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.12(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'CompliantTrue
2.3.11.1(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
2.3.11.2(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
2.3.11.3(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
2.3.11.7(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
2.3.11.8(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
2.3.11.9(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.11.10(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.14.1(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
2.3.15.1(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
2.3.15.2(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
2.3.17.1(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
2.3.17.2(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
2.3.17.3(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
2.3.17.4(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
2.3.17.5(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
2.3.17.6(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
2.3.17.7(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
2.3.17.8(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
5.1(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.2(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.3(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.4(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'CompliantTrue
5.5(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'CompliantTrue
5.6(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.7(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.8(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'CompliantTrue
5.9(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'CompliantTrue
5.10(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.11(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.12(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'CompliantTrue
5.13(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.14(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'CompliantTrue
5.15(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'CompliantTrue
5.16(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'CompliantTrue
5.17(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'CompliantTrue
5.18(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.19(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'CompliantTrue
5.20(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'CompliantTrue
5.21(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'CompliantTrue
5.22(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'CompliantTrue
5.23(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'CompliantTrue
5.24(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'CompliantTrue
5.25(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'CompliantTrue
5.26(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'CompliantTrue
5.27(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'CompliantTrue
5.28(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.29(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.30(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.31(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'CompliantTrue
5.32(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'CompliantTrue
5.33(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.34(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'CompliantTrue
5.35(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'CompliantTrue
5.36(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.37(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'CompliantTrue
5.38(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'CompliantTrue
5.39(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'CompliantTrue
5.40(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.41(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.42(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'CompliantTrue
5.43(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'CompliantTrue
5.44(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'CompliantTrue
5.45(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'CompliantTrue
9.1.1(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'CompliantTrue
9.1.2(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'CompliantTrue
9.1.3(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.1.4(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'CompliantTrue
9.1.5(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
9.1.6(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.2.1(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'CompliantTrue
9.2.2(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'CompliantTrue
9.2.3(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.2.4(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'CompliantTrue
9.2.5(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
9.2.6(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.2.7(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.2.8(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.3.1(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'CompliantTrue
9.3.2(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'CompliantTrue
9.3.3(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.3.4(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'CompliantTrue
9.3.5(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
9.3.6(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
9.3.7(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
9.3.8(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
9.3.9(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
9.3.10(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'CompliantTrue
18.1.1.1(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
18.1.1.2(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
18.1.2.2(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'CompliantTrue
18.1.3(L2) Ensure 'Allow Online Tips' is set to 'Disabled'CompliantTrue
18.2.2(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'CompliantTrue
18.2.3(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'CompliantTrue
18.2.4(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'CompliantTrue
18.2.5(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'CompliantTrue
18.2.6(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'CompliantTrue
18.3.1(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
18.3.2(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'CompliantTrue
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
18.3.4(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
18.3.5(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)CompliantTrue
18.3.6(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')CompliantTrue
18.3.7(L1) Ensure 'WDigest Authentication' is set to 'Disabled'CompliantTrue
18.4.1(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'CompliantTrue
18.4.2(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.3(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.4(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'CompliantTrue
18.4.5(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
18.4.6(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'CompliantTrue
18.4.7(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
18.4.8(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'CompliantTrue
18.4.9(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'CompliantTrue
18.4.10(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18.4.11(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.12(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.13(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
18.5.4.1(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higherCompliantTrue
18.5.4.2(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
18.5.5.1(L2) Ensure 'Enable Font Providers' is set to 'Disabled'CompliantTrue
18.5.8.1(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
18.5.9.1 A(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain)CompliantTrue
18.5.9.1 B(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public)CompliantTrue
18.5.9.1 C(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO),CompliantTrue
18.5.9.1 D(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private)CompliantTrue
18.5.9.2 A(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnDomain)CompliantTrue
18.5.9.2 B(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnPublicNet)CompliantTrue
18.5.9.2 C(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)CompliantTrue
18.5.9.2 D(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (ProhibitRspndrOnPrivateNet)CompliantTrue
18.5.10.2(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
18.5.11.2(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.3(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.4(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'CompliantTrue
18.5.14.1 A(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.14.1 B(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.19.2.1(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')CompliantTrue
18.5.20.1(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'CompliantTrue
18.5.20.2(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'CompliantTrue
18.5.21.1(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'Registry value not found.False
18.5.21.2(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
18.5.23.2.1(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
18.6.1(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'CompliantTrue
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.7.1.1(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'CompliantTrue
18.8.3.1(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
18.8.4.1(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'CompliantTrue
18.8.4.2(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
18.8.5.1(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
18.8.5.2(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'CompliantTrue
18.8.5.3(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.4(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'CompliantTrue
18.8.5.5(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.6(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'CompliantTrue
18.8.7.1.1(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
18.8.7.1.2(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'CompliantTrue
18.8.7.1.3(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)Registry value not found.False
18.8.7.1.4(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
18.8.7.1.5(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'CompliantTrue
18.8.7.1.6(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)CompliantTrue
18.8.7.2(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)CompliantTrue
18.8.14.1(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'CompliantTrue
18.8.21.2(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'CompliantTrue
18.8.21.3(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'CompliantTrue
18.8.21.4(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'CompliantTrue
18.8.21.5(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
18.8.22.1.1(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
18.8.22.1.2(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.3(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'CompliantTrue
18.8.22.1.4(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.5(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.6(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'CompliantTrue
18.8.22.1.7(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.8(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.9(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'CompliantTrue
18.8.22.1.10(L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'CompliantTrue
18.8.22.1.11(L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'CompliantTrue
18.8.22.1.12(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.13(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.14 A(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.14 B(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'Registry value is '0'. Expected: x == 1False
18.8.25.1 A(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)CompliantTrue
18.8.25.1 B(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)CompliantTrue
18.8.26.1(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'CompliantTrue
18.8.27.1(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'CompliantTrue
18.8.28.1(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'CompliantTrue
18.8.28.2(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
18.8.28.3(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'CompliantTrue
18.8.28.4(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
18.8.28.5(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
18.8.28.6(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
18.8.28.7(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
18.8.31.1(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'CompliantTrue
18.8.31.2(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'CompliantTrue
18.8.34.6.1(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.2(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.3(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.4(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.5(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'CompliantTrue
18.8.34.6.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'CompliantTrue
18.8.36.1(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.36.2(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.37.1(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'CompliantTrue
18.8.37.2(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'CompliantTrue
18.8.48.5.1(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
18.8.48.11.1(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'CompliantTrue
18.8.50.1(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'CompliantTrue
18.8.53.1.1(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
18.8.53.1.2(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'CompliantTrue
18.9.4.1(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'CompliantTrue
18.9.4.2(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'CompliantTrue
18.9.5.1(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'CompliantTrue
18.9.6.1(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'CompliantTrue
18.9.6.2(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'CompliantTrue
18.9.8.1(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
18.9.8.2(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'CompliantTrue
18.9.8.3(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'CompliantTrue
18.9.10.1.1(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'CompliantTrue
18.9.11.1.1(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.1.2(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.1.3(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.1.4(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'CompliantTrue
18.9.11.1.5(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'CompliantTrue
18.9.11.1.6(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.1.7(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.8(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.1.9(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.10(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.11(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.12(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'CompliantTrue
18.9.11.1.13(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.1(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
18.9.11.2.2(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
18.9.11.2.3(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.2.4(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'CompliantTrue
18.9.11.2.5(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'CompliantTrue
18.9.11.2.6(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.2.7(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.2.8(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.9(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'CompliantTrue
18.9.11.2.10(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.11(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.12(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.13(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
18.9.11.2.14(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'CompliantTrue
18.9.11.3.1(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.3.2(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
18.9.11.3.3(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.3.4(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'Registry value not found.False
18.9.11.3.5(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.3.6(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.3.7(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.8(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.3.9(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.10(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'CompliantTrue
18.9.11.3.11(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'Registry value not found.False
18.9.11.3.12(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'CompliantTrue
18.9.11.3.13(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.3.14(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'CompliantTrue
18.9.11.3.15(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'CompliantTrue
18.9.11.4(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
18.9.12.1(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.14.1(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'CompliantTrue
18.9.14.2(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'CompliantTrue
18.9.14.3(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
18.9.15.1(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'CompliantTrue
18.9.16.1(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
18.9.16.2(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'CompliantTrue
18.9.16.3(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
18.9.17.1(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'CompliantTrue
18.9.17.2(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'CompliantTrue
18.9.17.3(L1) Ensure 'Disable OneSettings Downloads' is enabled.CompliantTrue
18.9.17.4(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'CompliantTrue
18.9.17.5(L1) Ensure 'Enable OneSettings Auditing' is set to 'EnabledCompliantTrue
18.9.17.6(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'CompliantTrue
18.9.17.7(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'CompliantTrue
18.9.17.8(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'CompliantTrue
18.9.18.1(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'CompliantTrue
18.9.27.1.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.1.2(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.2.1(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.2.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
18.9.27.3.1(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.3.2(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.4.1(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.4.2(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.31.2(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'CompliantTrue
18.9.31.3(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
18.9.31.4(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
18.9.36.1(L1) Ensure 'Prevent the computer from joining a homegroup' set to 'Enabled'.CompliantTrue
18.9.41.1(L2) Ensure 'Turn off location' is set to 'Enabled'CompliantTrue
18.9.45.1(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'CompliantTrue
18.9.46.1(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
18.9.47.4.1(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.4.2(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.5.1.1(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
18.9.47.5.3.1(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'CompliantTrue
18.9.47.6.1(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'CompliantTrue
18.9.47.9.1(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'CompliantTrue
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'CompliantTrue
18.9.47.9.3(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
18.9.47.9.4(L1) Ensure 'Turn on script scanning' is set to 'Enabled'CompliantTrue
18.9.47.11.1(L2) Ensure 'Configure Watson events' is set to 'Disabled'CompliantTrue
18.9.47.12.1(L1) Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
18.9.47.12.2(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
18.9.47.15(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'CompliantTrue
18.9.47.16(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'CompliantTrue
18.9.48.1(NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'CompliantTrue
18.9.48.2(NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.3(NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.4(NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.5(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'CompliantTrue
18.9.48.6(NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1'CompliantTrue
18.9.57.1(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'CompliantTrue
18.9.58.1(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
18.9.64.1(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'CompliantTrue
18.9.65.2.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
18.9.65.3.2.1(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
18.9.65.3.3.1(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'CompliantTrue
18.9.65.3.3.2(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.4(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.5(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.6(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.1(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.2(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.3(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'CompliantTrue
18.9.65.3.9.4(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.5(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'CompliantTrue
18.9.65.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'CompliantTrue
18.9.65.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'CompliantTrue
18.9.65.3.11.1(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'CompliantTrue
18.9.66.1(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
18.9.67.2(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'CompliantTrue
18.9.67.3(L1) Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
18.9.67.4(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'CompliantTrue
18.9.67.5(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
18.9.67.6(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'CompliantTrue
18.9.72.1(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'CompliantTrue
18.9.75.1(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'Registry value not found.False
18.9.75.2(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'CompliantTrue
18.9.75.3(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'CompliantTrue
18.9.75.4(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'CompliantTrue
18.9.75.5(L2) Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
18.9.81.1(L1) Ensure 'Allow widgets' is set to 'Disabled'CompliantTrue
18.9.85.1.1 A(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'CompliantTrue
18.9.85.1.1 B(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)CompliantTrue
18.9.85.2.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
18.9.85.2.2(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' (PreventOverride).CompliantTrue
18.9.87.1(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
18.9.89.1(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'CompliantTrue
18.9.89.2(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'CompliantTrue
18.9.90.1(L1) Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
18.9.90.2(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (LocalMachine)CompliantTrue
18.9.90.3(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'CompliantTrue
18.9.91.1(L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
18.9.100.1(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.CompliantTrue
18.9.100.2(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue
18.9.102.1.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.1.2(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.1.3(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
18.9.102.2.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.2.2(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'Registry value not found.False
18.9.102.2.3(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.2.4(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
18.9.103.1(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.104.1(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.104.2(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.105.2.1(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
18.9.108.1.1(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
18.9.108.2.1(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
18.9.108.2.2(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'CompliantTrue
18.9.108.2.3(L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'CompliantTrue
18.9.108.4.1(L1) Ensure 'Manage preview builds' is set to 'Disabled' (Automated)Registry value is '0'. Expected: 1False
18.9.108.4.2 A(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'CompliantTrue
18.9.108.4.2 B(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays)CompliantTrue
18.9.108.4.3 A(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'. (DeferQualityUpdates)CompliantTrue
18.9.108.4.3 B(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)CompliantTrue
19.7.8.5(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
2.2.1(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
2.2.2(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
2.2.3(L1) Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
2.2.4(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.5(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
2.2.6(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
2.2.7(L1) Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
2.2.8(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'CompliantTrue
2.2.9(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'CompliantTrue
2.2.10(L1) Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
2.2.11(L1) Ensure 'Create a token object' is set to 'No One'CompliantTrue
2.2.12(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
2.2.13(L1) Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
2.2.14 A(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed]The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.14 B(L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed)Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed.None
2.2.15(L1) Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
2.2.16(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'CompliantTrue
2.2.17(L1) Ensure 'Deny log on as a batch job' to include 'Guests'CompliantTrue
2.2.18(L1) Ensure 'Deny log on as a service' to include 'Guests'CompliantTrue
2.2.19(L1) Ensure 'Deny log on locally' to include 'Guests'CompliantTrue
2.2.20(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
2.2.21(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
2.2.22(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
2.2.23(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]CompliantTrue
2.2.24(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]CompliantTrue
2.2.25(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'CompliantTrue
2.2.26(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
2.2.27(L1) Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
2.2.28(L2) Ensure 'Log on as a batch job' is set to 'Administrators'CompliantTrue
2.2.29(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.30(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
2.2.31(L1) Ensure 'Modify an object label' is set to 'No One'CompliantTrue
2.2.32(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
2.2.33(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
2.2.34(L1) Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
2.2.35(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'CompliantTrue
2.2.36(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.37(L1) Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
2.2.38(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'CompliantTrue
2.2.39(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1.1.1(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'CompliantTrue
1.1.2(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'CompliantTrue
1.1.3(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'CompliantTrue
1.1.4(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'CompliantTrue
1.1.5(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'CompliantTrue
1.2.1(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
1.2.2(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'CompliantTrue
1.2.3(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
17.1.1(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
17.2.1(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
17.2.2(L1) Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
17.2.3(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
17.3.1(L1) Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
17.3.2(L1) Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
17.5.1(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
17.5.2(L1) Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
17.5.3(L1) Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
17.5.4(L1) Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
17.5.5(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
17.5.6(L1) Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
17.6.1(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
17.6.2(L1) Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
17.6.3(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
17.6.4(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
17.7.1(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
17.7.2(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
17.7.3(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
17.7.4(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
17.7.5(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
17.8.1(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue
17.9.1(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'CompliantTrue
17.9.2(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
17.9.3(L1) Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
17.9.4(L1) Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
17.9.5(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue

DISA Recommendations-

This section contains the DISA STIG results.

Registry Settings/Group Policies-

IdTaskMessageStatus
WN10-CC-000310Users must be prevented from changing installation options.CompliantTrue
WN10-CC-000315The Windows Installer Always install with elevated privileges must be disabled.CompliantTrue
WN10-CC-000320Users must be notified if a web-based program attempts to install software.CompliantTrue
WN10-CC-000325Automatically signing in the last interactive user after a system-initiated restart must be disabled.CompliantTrue
WN10-CC-000330The Windows Remote Management (WinRM) client must not use Basic authentication.CompliantTrue
WN10-CC-000335The Windows Remote Management (WinRM) client must not allow unencrypted traffic.CompliantTrue
WN10-CC-000340The Windows Remote Management (WinRM) client must not use Digest authentication.CompliantTrue
WN10-CC-000345The Windows Remote Management (WinRM) service must not use Basic authentication.CompliantTrue
WN10-CC-000350The Windows Remote Management (WinRM) service must not allow unencrypted traffic.CompliantTrue
WN10-CC-000355The Windows Remote Management (WinRM) service must not store RunAs credentials.CompliantTrue
WN10-AU-000500The Application event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-AU-000505The Security event log size must be configured to 1024000 KB or greater.Registry value is '196608'. Expected: 1024000False
WN10-AU-000510The System event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-CC-000005Camera access from the lock screen must be disabled.CompliantTrue
WN10-CC-000010The display of slide shows on the lock screen must be disabled.CompliantTrue
WN10-CC-000020IPv6 source routing must be configured to highest protection.CompliantTrue
WN10-CC-000025The system must be configured to prevent IP source routing.CompliantTrue
WN10-CC-000030The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.CompliantTrue
WN10-CC-000035The system must be configured to ignore NetBIOS name release requests except from WINS servers.CompliantTrue
WN10-CC-000040Insecure logons to an SMB server must be disabled.CompliantTrue
WN10-CC-000055Simultaneous connections to the Internet or a Windows domain must be limited.Registry value not found.False
WN10-CC-000060Connections to non-domain networks when connected to a domain authenticated network must be blocked.CompliantTrue
WN10-CC-000065Wi-Fi Sense must be disabled.CompliantTrue
WN10-CC-000037Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.CompliantTrue
WN10-CC-000085Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Registry value is '3'. Expected: 8False
WN10-CC-000090Group Policy objects must be reprocessed even if they have not changed.CompliantTrue
WN10-CC-000100Downloading print driver packages over HTTP must be prevented.CompliantTrue
WN10-SO-000015Local accounts with blank passwords must be restricted to prevent access from the network.CompliantTrue
WN10-CC-000105Web publishing and online ordering wizards must be prevented from downloading a list of providers.CompliantTrue
WN10-CC-000110Printing over HTTP must be prevented.CompliantTrue
WN10-CC-000115Systems must at least attempt device authentication using certificates.CompliantTrue
WN10-CC-000120The network selection user interface (UI) must not be displayed on the logon screen.CompliantTrue
WN10-CC-000130Local users on domain-joined computers must not be enumerated.CompliantTrue
WN10-SO-000030Audit policy using subcategories must be enabled.CompliantTrue
WN10-SO-000035Outgoing secure channel traffic must be encrypted or signed.CompliantTrue
WN10-SO-000040Outgoing secure channel traffic must be encrypted when possible.CompliantTrue
WN10-CC-000145Users must be prompted for a password on resume from sleep (on battery).CompliantTrue
WN10-SO-000045Outgoing secure channel traffic must be signed when possible.CompliantTrue
WN10-CC-000150The user must be prompted for a password on resume from sleep (plugged in).CompliantTrue
WN10-CC-000155Solicited Remote Assistance must not be allowed.CompliantTrue
WN10-SO-000050The computer account password must not be prevented from being reset.CompliantTrue
WN10-CC-000165Unauthenticated RPC clients must be restricted from connecting to the RPC server.CompliantTrue
WN10-CC-000170The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.CompliantTrue
WN10-CC-000175The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.Registry key not found.False
WN10-SO-000060The system must be configured to require a strong session key.CompliantTrue
WN10-CC-000180Autoplay must be turned off for non-volume devices.CompliantTrue
WN10-SO-000070The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.CompliantTrue
WN10-CC-000185The default autorun behavior must be configured to prevent autorun commands.CompliantTrue
WN10-CC-000190Autoplay must be disabled for all drives.CompliantTrue
WN10-CC-000195Enhanced anti-spoofing for facial recognition must be enabled on Window 10.CompliantTrue
WN10-CC-000200Administrator accounts must not be enumerated during elevation.CompliantTrue
WN10-CC-000215Explorer Data Execution Prevention must be enabled.CompliantTrue
WN10-CC-000220Turning off File Explorer heap termination on corruption must be disabled.CompliantTrue
WN10-CC-000225File Explorer shell protocol must run in protected mode.CompliantTrue
WN10-SO-000095The Smart Card removal option must be configured to Force Logoff or Lock Workstation.CompliantTrue
WN10-CC-000230Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.CompliantTrue
WN10-CC-000235Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.CompliantTrue
WN10-SO-000100The Windows SMB client must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000240InPrivate browsing in Microsoft Edge must be disabled.CompliantTrue
WN10-SO-000105The Windows SMB client must be enabled to perform SMB packet signing when possible.CompliantTrue
WN10-SO-000110Unencrypted passwords must not be sent to third-party SMB Servers.CompliantTrue
WN10-CC-000250The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.CompliantTrue
WN10-CC-000255The use of a hardware security device with Windows Hello for Business must be enabled.Registry key not found.False
WN10-SO-000120The Windows SMB server must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000260Windows 10 must be configured to require a minimum pin length of six characters or greater.Registry key not found.False
WN10-SO-000125The Windows SMB server must perform SMB packet signing when possible.CompliantTrue
WN10-CC-000270Passwords must not be saved in the Remote Desktop Client.CompliantTrue
WN10-CC-000275Local drives must be prevented from sharing with Remote Desktop Session Hosts.CompliantTrue
WN10-CC-000280Remote Desktop Services must always prompt a client for passwords upon connection.CompliantTrue
WN10-CC-000285The Remote Desktop Session Host must require secure RPC communications.CompliantTrue
WN10-CC-000290Remote Desktop Services must be configured with the client connection encryption set to the required level.CompliantTrue
WN10-CC-000295Attachments must be prevented from being downloaded from RSS feeds.CompliantTrue
WN10-SO-000145Anonymous enumeration of SAM accounts must not be allowed.CompliantTrue
WN10-CC-000300Basic authentication for RSS feeds over HTTP must not be used.CompliantTrue
WN10-SO-000150Anonymous enumeration of shares must be restricted.CompliantTrue
WN10-CC-000305Indexing of encrypted files must be turned off.CompliantTrue
WN10-SO-000160The system must be configured to prevent anonymous users from having the same rights as the Everyone group.CompliantTrue
WN10-SO-000165Anonymous access to Named Pipes and Shares must be restricted.CompliantTrue
WN10-SO-000175Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.CompliantTrue
WN10-SO-000180NTLM must be prevented from falling back to a Null session.CompliantTrue
WN10-SO-000185PKU2U authentication using online identities must be prevented.CompliantTrue
WN10-SO-000190Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.CompliantTrue
WN10-SO-000195The system must be configured to prevent the storage of the LAN Manager hash of passwords.CompliantTrue
WN10-SO-000205The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.CompliantTrue
WN10-SO-000210The system must be configured to the required LDAP client signing level.CompliantTrue
WN10-SO-000215The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.CompliantTrue
WN10-SO-000220The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.CompliantTrue
WN10-SO-000230The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.Registry value is '0'. Expected: 1False
WN10-SO-000240The default permissions of global system objects must be increased.CompliantTrue
WN10-SO-000245User Account Control approval mode for the built-in Administrator must be enabled.CompliantTrue
WN10-SO-000250User Account Control must, at minimum, prompt administrators for consent on the secure desktop.CompliantTrue
WN10-SO-000255User Account Control must automatically deny elevation requests for standard users.Registry value is '3'. Expected: 0False
WN10-SO-000260User Account Control must be configured to detect application installations and prompt for elevation.CompliantTrue
WN10-SO-000265User Account Control must only elevate UIAccess applications that are installed in secure locations.CompliantTrue
WN10-SO-000270User Account Control must run all administrators in Admin Approval Mode, enabling UAC.CompliantTrue
WN10-SO-000275User Account Control must virtualize file and registry write failures to per-user locations.CompliantTrue
WN10-UC-000015Toast notifications to the lock screen must be turned off.Registry key not found.False
WN10-UC-000020Zone information must be preserved when saving attachments.Registry key not found.False
WN10-CC-000066Command line data must be included in process creation events.CompliantTrue
WN10-CC-000326PowerShell script block logging must be enabled.CompliantTrue
WN10-00-000150Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.CompliantTrue
WN10-CC-000038WDigest Authentication must be disabled.CompliantTrue
WN10-CC-000044Internet connection sharing must be disabled.CompliantTrue
WN10-CC-000197Microsoft consumer experiences must be turned off.CompliantTrue
WN10-CC-000228Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit.Registry key not found.False
WN10-CC-000252Windows 10 must be configured to disable Windows Game Recording and Broadcasting.CompliantTrue
WN10-CC-000068Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.CompliantTrue
WN10-00-000165The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.CompliantTrue
WN10-UC-000005The use of personal accounts for OneDrive synchronization must be disabled.Registry key not found.False
WN10-CC-000238Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.CompliantTrue
WN10-CC-000204If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
WN10-UR-000005The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000010The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
WN10-UR-000015The Act as part of the operating system user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000025The Allow log on locally user right must only be assigned to the Administrators and Users groups.CompliantTrue
WN10-UR-000030The Back up files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000035The Change the system time user right must only be assigned to Administrators and Local Service.CompliantTrue
WN10-UR-000040The Create a pagefile user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000045The Create a token object user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000050The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000055The Create permanent shared objects user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000065The Debug programs user right must only be assigned to the Administrators group.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
WN10-UR-000070 MWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyNetworkLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000070 SWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000075 MWThe Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyBatchLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000080 MWThe Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyServiceLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 MWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 SWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000090 MWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000090 SWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000100The Force shutdown from a remote system user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000105The Generate security audits user right must only be assigned to Local Service and Network Service.CompliantTrue
WN10-UR-000110The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000115The Increase scheduling priority user right must only be assigned to the Administrators group.The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
WN10-UR-000120The Load and unload device drivers user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000125The Lock pages in memory user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000130The Manage auditing and security log user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000140The Modify firmware environment values user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000145The Perform volume maintenance tasks user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000150The Profile single process user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000160The Restore files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000165The Take ownership of files or other objects user right must only be assigned to the Administrators group.CompliantTrue

Account Policies-

IdTaskMessageStatus
WN10-AC-000005Windows 10 account lockout duration must be configured to 15 minutes or greater.CompliantTrue
WN10-AC-000010The number of allowed bad logon attempts must be configured to 3 or less.'LockoutBadCount' currently set to: 5. Expected: x <= 3 and x != 0False
WN10-AC-000015The period of time before the bad logon counter is reset must be configured to 15 minutes.CompliantTrue
WN10-AC-000020The password history must be configured to 24 passwords remembered.CompliantTrue
WN10-AC-000025The maximum password age must be configured to 60 days or less.'MaximumPasswordAge' currently set to: 120. Expected: x <= 60False
WN10-AC-000030The minimum password age must be configured to at least 1 day.CompliantTrue
WN10-AC-000035Passwords must, at a minimum, be 14 characters.CompliantTrue
WN10-AC-000040The built-in Microsoft password complexity filter must be enabled.CompliantTrue
WN10-AC-000045Reversible password encryption must be disabled.CompliantTrue

Windows Features-

IdTaskMessageStatus
WN10-00-000100Internet Information System (IIS) or its subcomponents must not be installed on a workstation.CompliantTrue
WN10-00-000110Simple TCP/IP Services must not be installed on the system.CompliantTrue
WN10-00-000115The Telnet Client must not be installed on the system.CompliantTrue
WN10-00-000120The TFTP Client must not be installed on the system.CompliantTrue

File System Permissions-

IdTaskMessageStatus
WN10-AU-000515Permissions for the Application event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000520Permissions for the Security event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000525Permissions for the System event log must prevent access by non-privileged accounts.CompliantTrue

Registry Permissions-

IdTaskMessageStatus
WN10-RG-000005 ADefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.CompliantTrue
WN10-RG-000005 BDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False
WN10-RG-000005 CDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False

CyberGovAu Benchmarks-

This section contains the CyberGovAu Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1909.01Ensure 'Deploy Windows Defender Application Control' is set to 'Enabled'Registry value not found.False
1909.02.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.02.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.03.1Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
1909.03.2Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
1909.03.3Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
1909.03.4Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
1909.03.5Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
1909.03.6Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
1909.03.7Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
1909.03.8Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
1909.03.9Ensure 'Configure Attack Surface Reduction rules' is configured (Block executable files from running unless they meet a prevalence, age, or trusted list criterion).Registry value not found.False
1909.03.10Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware).Registry value is '0'. Expected: 1False
1909.03.11Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
1909.03.12Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block process creations originating from PSExec and WMI commands)Registry value not found.False
1909.03.13Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
1909.03.14Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
1909.03.15Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
1909.03.16Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
1909.04Ensure 'WDigest Authentication' is set to 'Disabled'Registry value is '0'. Expected: 1False
1909.05.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.3Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.06.1Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.06.2Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.07.1Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.07.2Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.08.1Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.08.2Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.09Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
1909.10Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
1909.11Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
1909.12Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'Registry value not found.False
1909.13Ensure 'Require trusted path for credential entry' is set to 'Enabled'Registry value not found.False
1909.14Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
1909.15Ensure 'Disable or enable software Secure Attention Sequence' is set to 'Disabled'Registry value not found.False
1909.16Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
1909.17Ensure 'Require Ctrl-Alt-Del' is set to 'Disabled'Registry key not found.False
1909.18.1Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'Registry value is '3'. Expected: 1False
1909.19.1Ensure 'Use a common set of exploit protection settings' is set to 'Enabled'Registry key not found.False
1909.20Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
1909.21Ensure 'Turn off Data Execution Prevention' is set to 'Disabled'Registry value not found.False
1909.22Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
1909.23Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
1909.24Ensure 'Allow Adobe Flash' is set to 'Disabled'CompliantTrue
1909.25Ensure 'Allow Developer Tools' is set to 'Disabled'Registry key not found.False
1909.27Ensure 'Configure Password Manager' is set to 'Disabled'CompliantTrue
1909.28Ensure 'Configure Pop-up Blocker' is set to 'Enabled'CompliantTrue
1909.30Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'CompliantTrue
1909.31Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'CompliantTrue
1909.34Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled'CompliantTrue
1909.36Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'CompliantTrue
1909.37Ensure 'Allow Automatic Updates immediate installation' is set to 'Enabled'Registry value not found.False
1909.38.1Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.2Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.38.3Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.4Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.39Ensure 'Do not include drivers with Windows Updates' is set to 'Disabled'Registry value not found.False
1909.40Ensure 'Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates' is set to 'Enabled'Registry value not found.False
1909.41Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
1909.42Ensure 'Remove access to use all Windows Update features' is set to 'Disabled'Registry key not found.False
1909.43Ensure 'Turn on recommended updates via Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.44.1Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.44.2Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.45Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
1909.46Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
1909.47Ensure 'Maximum configurable password age' is set to '365 days'Registry value not found.False
1909.48Ensure 'Minimum password length' is set to '14 characters'Registry key not found.False
1909.49Ensure 'Password must meet complexity requirements' is set to 'Enabled'Registry key not found.False
1909.50Ensure 'Standard User Lockout Duration' is set to '0'Registry value not found.False
1909.51Ensure 'Standard User Individual Lockout Threshold' is set to '5'Registry value not found.False
1909.52Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
1909.53Ensure 'Turn off Microsoft Defender Antivirus' is set to 'Disabled'CompliantTrue
1909.54Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
1909.55Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'Registry value not found.False
1909.56.2Ensure 'Join Microsoft MAPS' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.57Ensure 'Send file samples when further analysis is required' is set to 'Enabled'Registry value is '2'. Expected: 1False
1909.58Ensure 'Configure extended cloud check' is set to 'Enabled' and set to '50'Registry value not found.False
1909.59Ensure 'Select cloud protection level' is set to 'Enabled'Registry value not found.False
1909.60Ensure 'Configure removal of items from Quarantine folder' is set to 'Disabled'Registry key not found.False
1909.61Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'Registry key not found.False
1909.63Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
1909.64Ensure 'Turn on process scanning whenever real-time protection is enabled' is set to 'Enabled'Registry key not found.False
1909.65Ensure 'Allow users to pause scan' is set to 'Disabled'Registry key not found.False
1909.66Ensure 'Check for the latest virus and spyware definitions before running a scheduled scan' is set to 'Enabled'Registry key not found.False
1909.67Ensure 'Scan archive files' is set to 'Enabled'Registry value not found.False
1909.68Ensure 'Scan packed executables' is set to 'Enabled'Registry key not found.False
1909.69Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
1909.70Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
1909.71Ensure 'Turn on heuristics' is set to 'Enabled'Registry key not found.False
1909.72Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'Registry key not found.False
1909.73Ensure 'Hide mechanisms to remove zone information' is set to 'Enabled'Registry key not found.False
1909.74Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
1909.75Ensure 'Specify the maximum log file size (KB)' is set to '65536'Registry value is '32768'. Expected: 65536False
1909.76Ensure 'Specify the maximum log file size (KB)' is set to '2097152'Registry value is '196608'. Expected: 2097152False
1909.77Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
1909.78Ensure 'Set the default behavior for AutoRun' is set to 'Enabled'CompliantTrue
1909.79Ensure 'Turn off Autoplay' is set to 'Enabled'CompliantTrue
1909.80Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.81Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.82Ensure 'Route all traffic through the internal network' is set to 'Enabled'Registry key not found.False
1909.83Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
1909.84Ensure 'Remove CD Burning features' is set to 'Enabled'Registry key not found.False
1909.85Ensure 'Prevent access to the command prompt' is set to 'Enabled'Registry key not found.False
1909.86.1Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.2Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.3Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.4Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.87.1Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.87.2Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'Registry value not found.False
1909.87.3Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.88Ensure 'All Removable Storage classes: Deny all access' is set to 'Enabled'Registry key not found.False
1909.89Ensure 'CD and DVD: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.90Ensure 'CD and DVD: Deny write access' is set to 'Enabled'Registry key not found.False
1909.91Ensure 'Custom Classes: Deny read access' is set to 'Disabled'Registry key not found.False
1909.92Ensure 'Custom Classes: Deny write access' is set to 'Enabled'Registry key not found.False
1909.93Ensure 'Floppy Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.94Ensure 'Floppy Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.95Ensure 'Floppy Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.96Ensure 'Removable Disks: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.97Ensure 'Removable Disks: Deny read access' is set to 'Disabled'Registry key not found.False
1909.98Ensure 'Removable Disks: Deny write access' is set to 'Enabled'Registry key not found.False
1909.99Ensure 'Tape Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.100Ensure 'Tape Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.101Ensure 'Tape Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.102Ensure 'WPD Devices: Deny read access' is set to 'Disabled'Registry key not found.False
1909.103Ensure 'WPD Devices: Deny write access' is set to 'Enabled'Registry key not found.False
1909.104Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'CompliantTrue
1909.105Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'Registry key not found.False
1909.106.1Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.106.2Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.107Ensure 'Configure registry policy processing' is set to 'Enabled'Registry key not found.False
1909.108Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
1909.109Ensure 'Turn off Local Group Policy Objects processing' is set to 'Enabled'Registry value not found.False
1909.110.1Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.2Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.3Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.111Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
1909.112.1Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.2Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.3Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.4Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.112.5Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.6Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.1Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.2Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.3Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.4Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.114Ensure 'Deny write access to fixed drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.115Ensure 'Enforce drive encryption type on fixed data drives' is set to 'Enabled' and 'Full encryption'Registry value not found.False
1909.116Ensure 'Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.' is set to 'Disabled'Registry value not found.False
1909.117Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
1909.118Ensure 'Allow network unlock at startup' is set to 'Enabled'Registry value not found.False
1909.119Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
1909.120.1Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.2Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.120.3Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.4Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.5Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.6Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.121Ensure 'Configure minimum PIN length for startup' is set to 'Enabled'Registry value not found.False
1909.122.1Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.122.2Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.122.3Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.123Ensure 'Disallow standard users from changing the PIN or password' is set to 'Disabled'Registry value not found.False
1909.124Ensure 'Enforce drive encryption type on operating system drives' is set to 'Enabled'Registry value not found.False
1909.125.1Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
1909.125.2Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.125.3Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.4Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.5Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.6Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.126Ensure 'Reset platform validation data after BitLocker recovery' is set to 'Enabled'Registry value not found.False
1909.127.1Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.2Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.3Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.4Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.127.5Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.6Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.127.7Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.8Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.128.1Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.2Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.3Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.4Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.129.1Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.129.2Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.130Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.131Ensure 'Enforce drive encryption type on removable data drives' is set to 'Enabled'Registry value not found.False
1909.132.1Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.132.2Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.133Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
1909.135Ensure 'Always install with elevated privileges' is set to 'Disabled'CompliantTrue
1909.136Ensure 'Do not process the legacy run list' is set to 'Enabled'Registry value not found.False
1909.137Ensure 'Do not process the run once list' is set to 'Enabled'Registry value not found.False
1909.138Ensure 'Run these programs at user logon' is set to 'Disabled'Registry key not found.False
1909.139Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
1909.140Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
1909.141Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.142Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.143Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
1909.144Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'Registry value not found.False
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'Registry key not found.False
1909.146Ensure 'Require a Password When a Computer Wakes (On Battery)' is set to 'Enabled'Registry key not found.False
1909.147Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'Registry key not found.False
1909.148Ensure 'Specify the system hibernate timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.149Ensure 'Specify the system hibernate timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.150Ensure 'Specify the system sleep timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.151Ensure 'Specify the system sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.152Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.153Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled' and '0 seconds'Registry key not found.False
1909.154Ensure 'Turn off hybrid sleep (on battery)' is set to 'Enabled'Registry key not found.False
1909.155Ensure 'Turn off hybrid sleep (plugged in)' is set to 'Enabled'Registry key not found.False
1909.156Ensure 'Show hibernate in the power options menu' is set to 'Disabled'Registry value not found.False
1909.157Ensure 'Show sleep in the power options menu' is set to 'Disabled'Registry value not found.False
1909.158Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'CompliantTrue
1909.159.1Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.159.2Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.160Ensure 'Prevent access to registry editing tools' is set to 'Enabled'Registry key not found.False
1909.161Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
1909.162Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
1909.163Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'CompliantTrue
1909.164Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
1909.165Ensure 'Configure server authentication for client' is set to 'Enabled'Registry value not found.False
1909.166Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
1909.168Ensure 'Deny logoff of an administrator logged in to the console session' is set to 'Enabled'Registry value not found.False
1909.169Ensure 'Do not allow Clipboard redirection' is set to 'Enabled'Registry value not found.False
1909.170Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
1909.171Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
1909.172Ensure 'Do not allow local administrators to customize permissions' is set to 'Enabled'Registry value not found.False
1909.173Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
1909.174Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled'CompliantTrue
1909.175Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
1909.176Ensure 'Set client connection encryption level' is set to 'Enabled'CompliantTrue
1909.177Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled'CompliantTrue
1909.178Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
1909.179Ensure 'Turn off Inventory Collector' is set to 'Enabled'Registry key not found.False
1909.180Ensure 'Turn off Steps Recorder' is set to 'Enabled'Registry key not found.False
1909.181Ensure 'Allow Telemetry' is set to 'Enabled'CompliantTrue
1909.182.1Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.2Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.3Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.183Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
1909.184Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
1909.185Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
1909.186Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
1909.187Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
1909.188Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
1909.189Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
1909.190Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
1909.191Ensure 'Configure SMB v1 client driver' is set to 'Enabled'CompliantTrue
1909.192Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
1909.193Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
1909.194Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
1909.195Ensure 'Allow users to select when a password is required when resuming from connected standby' is set to 'Disabled'Registry value not found.False
1909.196Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
1909.197Ensure 'Show lock in the user tile menu' is set to 'Enabled'Registry value not found.False
1909.198Ensure 'Allow Windows Ink Workspace' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.199Ensure 'Enable screen saver' is set to 'Enabled'Registry key not found.False
1909.199Ensure 'Password protect the screen saver' is set to 'Enabled'Registry key not found.False
1909.200Ensure 'Screen saver timeout' is set to 'Enabled'Registry key not found.False
1909.201Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'Registry key not found.False
1909.202Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'Registry value not found.False
1909.203Ensure 'Do not allow Sound Recorder to run' is set to 'Enabled'Registry key not found.False
1909.204Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.205Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
1909.206Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.207Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
1909.208Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
1909.209Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
1909.210Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
1909.211Ensure 'Don't search the web or display web results in Search' is set to 'Enabled'Registry value not found.False
1909.212Ensure 'Windows To Go Default Startup Options' is set to 'Disabled'Registry key not found.False
1909.213Ensure 'Remove Security tab' is set to 'Enabled'Registry key not found.False
1909.214Ensure 'Turn off location scripting' is set to 'Enabled'Registry value not found.False
1909.215Ensure 'Turn off location' is set to 'Enabled'Registry key not found.False
1909.216Ensure 'Turn off Windows Location Provider' is set to 'Enabled'Registry value not found.False
1909.217Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
1909.218Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
1909.219Ensure 'Determine if interactive users can generate Resultant Set of Policy data' is set to 'Enabled'Registry value not found.False
1909.220Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
1909.222Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
1909.223Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'CompliantTrue
1909.224(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
1909.225(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
1909.226(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
1909.227Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
1909.228Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
1909.229Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
1909.230Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
1909.231Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
1909.233Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
1909.234Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
1909.235Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
1909.236Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
1909.237Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
1909.238Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
1909.239Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
1909.240Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
1909.243Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 65536 or less'CompliantTrue
1909.260Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
1909.262Ensure 'CD and DVD: Deny read access' is set to 'Disabled'Registry key not found.False
1909.263Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
1909.264Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
1909.265Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
1909.266Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
1909.267Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
1909.268Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.269Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.270Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
1909.275Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
1909.276Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.277Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.278Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
1909.279Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
1909.280Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
1909.281Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
1909.282Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
1909.283Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
1909.284Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
1909.285Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
1909.288Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
1909.289Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
1909.290Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
1909.291Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
1909.292Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
1909.293Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
1909.296Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
1909.314Ensure 'Allow download restrictions' is set to 'Enabled'Registry value is '1'. Expected: 2False
1909.315Ensure 'Configure Do Not Track' is set to 'Enabled'Registry value not found.False
1909.316Ensure 'Control the mode of DNS-over-HTTPS' is set to 'Enabled'Registry value not found.False
1909.317Ensure 'Control where Developer Tools can be used' is set to 'Enabled'Registry value not found.False
1909.318Ensure 'DNS interception checks enabled' is set to 'Disabled'Registry value not found.False
1909.319Ensure 'Default pop-up window setting' is set to 'Enabled'Registry value not found.False
1909.320Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'Registry value not found.False
1909.321Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'CompliantTrue
1909.322Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled'CompliantTrue
1909.323Ensure 'Use the Enterprise Mode IE website list' is set to 'Enabled'Registry key not found.False
1909.324Ensure 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.' is set to 'Enabled'Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
1909.241Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
1909.242Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'The user 'SeDenyNetworkLogonRight' setting does not contain the following users: LOCALFalse
1909.244Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
1909.271Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
1909.273(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse
1909.274Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
1909.294Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
1909.295Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
1909.297Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
1909.298Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
1909.299Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
1909.300Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
1909.301Ensure 'Create a token object' is set to 'No One'CompliantTrue
1909.302Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.303Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
1909.304Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
1909.305Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
1909.306Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
1909.307Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.308Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
1909.309Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
1909.310Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
1909.311Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
1909.312Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
1909.313Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1909.232Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
1909.245Ensure 'Audit Computer Account Management' is set to 'Success and Failure'Set to: No AuditingFalse
1909.246Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
1909.247Ensure 'Audit Security Group Management' is set to 'Success and Failure'Set to: SuccessFalse
1909.248Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
1909.249Ensure 'Audit Process Creation' is set to 'Success'CompliantTrue
1909.250Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
1909.251Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
1909.252Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
1909.253Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
1909.254Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
1909.255Ensure 'Audit Special Logon' is set to include 'Success and Failure'Set to: SuccessFalse
1909.256Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
1909.257Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
1909.258Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
1909.259Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue

Microsoft Benchmarks-

This section contains the Microsoft Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-001Set registry value 'PUAProtection' to 1.CompliantTrue
Registry-002Set registry value 'MpCloudBlockLevel' to 2.Registry value not found.False
Registry-003Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.CompliantTrue
Registry-004Ensure 'Turn off real-time protection' is set to 'Disabled'.CompliantTrue
Registry-005Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
Registry-006Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry value is '2'. Expected: 1False
Registry-007Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry value is '0'. Expected: 2False
Registry-008Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry value not found.False
Registry-009Set registry value 'ExploitGuard_ASR_Rules' to 1.CompliantTrue
Registry-010Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
Registry-011Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
Registry-012Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
Registry-013Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
Registry-014Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
Registry-015Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
Registry-016Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
Registry-017Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
Registry-018Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
Registry-019Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
Registry-020Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
Registry-021Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)Registry value is '0'. Expected: 1False
Registry-022Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
Registry-023Set registry value 'EnableNetworkProtection' to 1.CompliantTrue
Registry-024Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.CompliantTrue
Registry-025Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.CompliantTrue
Registry-026Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-027Set registry value 'HVCIMATRequired' to 1.CompliantTrue
Registry-028Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-029Set registry value 'ConfigureSystemGuardLaunch' to 1.CompliantTrue
Registry-031Set registry value 'UseEnhancedPin' to 1.CompliantTrue
Registry-032Set registry value 'RDVDenyCrossOrg' to 0.CompliantTrue
Registry-033Set registry value 'DisableExternalDMAUnderLock' to 1.CompliantTrue
Registry-034Set registry value 'DCSettingIndex' to 0.CompliantTrue
Registry-035Set registry value 'ACSettingIndex' to 0.CompliantTrue
Registry-036Set registry value 'DenyDeviceClasses' to 1.CompliantTrue
Registry-037Set registry value 'DenyDeviceClassesRetroactive' to 1.CompliantTrue
Registry-038Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}.CompliantTrue
Registry-039Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'.CompliantTrue
Registry-040Set registry value 'AutoConnectAllowedOEM' to 0.CompliantTrue
Registry-041Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
Registry-042Ensure 'Turn off Autoplay' is set to 'All drives'.CompliantTrue
Registry-043Set registry value 'NoWebServices' to 1.CompliantTrue
Registry-044Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.CompliantTrue
Registry-045Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
Registry-046Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.CompliantTrue
Registry-047Set registry value 'LocalAccountTokenFilterPolicy' to 0.CompliantTrue
Registry-048Set registry value 'AllowEncryptionOracle' to 0.CompliantTrue
Registry-049Set registry value 'EnhancedAntiSpoofing' to 1.CompliantTrue
Registry-050Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
Registry-051Set registry value 'PreventCertErrorOverrides' to 1.CompliantTrue
Registry-052Set registry value 'FormSuggest Passwords' to no.CompliantTrue
Registry-053Set registry value 'EnabledV9' to 1.CompliantTrue
Registry-054Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-055Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-056Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'.CompliantTrue
Registry-057Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
Registry-058Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2.CompliantTrue
Registry-059Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
Registry-060Set registry value 'AllowProtectedCreds' to 1.CompliantTrue
Registry-061Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-062Ensure 'Specify the maximum log file size (KB)' is set to '196608'.CompliantTrue
Registry-063Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-064Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
Registry-065Set registry value 'AllowGameDVR' to 0.CompliantTrue
Registry-066Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-067Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-068Set registry value 'AlwaysInstallElevated' to 0.CompliantTrue
Registry-069Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
Registry-070Set registry value 'DeviceEnumerationPolicy' to 0.CompliantTrue
Registry-071Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
Registry-072Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
Registry-073Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-074Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-075Set registry value 'NoLockScreenCamera' to 1.CompliantTrue
Registry-076Set registry value 'NoLockScreenSlideshow' to 1.CompliantTrue
Registry-077Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging)CompliantTrue
Registry-078Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging)Registry value not found.False
Registry-079Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
Registry-080Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
Registry-081Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.CompliantTrue
Registry-082Set registry value 'ShellSmartScreenLevel' to Block.CompliantTrue
Registry-083Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'.CompliantTrue
Registry-084Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.CompliantTrue
Registry-085Ensure 'Disallow Digest authentication' is set to 'Enabled'.CompliantTrue
Registry-086Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-087Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-088Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-089Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
Registry-090Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-091Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
Registry-092Set registry value 'DisableWebPnPDownload' to 1.CompliantTrue
Registry-093Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.CompliantTrue
Registry-094Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'Compliant. Registry value not found.True
Registry-095Configure Solicited Remote Assistance to disabled.CompliantTrue
Registry-096Configure Solicited Remote Assistance - Allow helpers to only view the computer.Compliant. Registry value not found.True
Registry-097Set registry value 'MaxTicketExpiry' to .Compliant. Registry value not found.True
Registry-098Set registry value 'MaxTicketExpiryUnits' to .Compliant. Registry value not found.True
Registry-099Set registry value 'MinEncryptionLevel' to 3.CompliantTrue
Registry-100Set registry value 'fPromptForPassword' to 1.CompliantTrue
Registry-101Set registry value 'fDisableCdm' to 1.CompliantTrue
Registry-102Set registry value 'DisablePasswordSaving' to 1.CompliantTrue
Registry-103Set registry value 'fEncryptRPCTraffic' to 1.CompliantTrue
Registry-104Set registry value 'PolicyVersion' to 538.Registry value not found.False
Registry-105Domain: Set registry value 'DefaultOutboundAction' to 0.CompliantTrue
Registry-106Domain: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-107Domain: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-108Domain: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-109Domain: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-110Domain: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-111Domain: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-112Private: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-113Private: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-114Private: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-115Private: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-116Private: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-117Private: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-118Private: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-119Public: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-120Public: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-121Public: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-122Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0.CompliantTrue
Registry-123Public: Set registry value 'AllowLocalPolicyMerge' to 0.CompliantTrue
Registry-124Public: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-125Public: Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-126Public: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-127Public: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-128Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry value is '0'. Expected: 1False
Registry-129Set registry value 'AdmPwdEnabled' to 1.CompliantTrue
Registry-130Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.CompliantTrue
Registry-131Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
Registry-132Set registry value 'DriverLoadPolicy' to 3.CompliantTrue
Registry-133Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
Registry-134Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.CompliantTrue
Registry-135Set registry value 'NoNameReleaseOnDemand' to 1.CompliantTrue
Registry-136Set registry value 'NodeType' to 2.CompliantTrue
Registry-137Set registry value 'EnableICMPRedirect' to 0.CompliantTrue
Registry-138Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-139Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-140Set registry value 'ScRemoveOption' to 1.CompliantTrue
Registry-141Set registry value 'InactivityTimeoutSecs' to 900.CompliantTrue
Registry-142Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-143Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-144Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-145Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-146Set registry value 'RestrictAnonymous' to 1.CompliantTrue
Registry-147Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-148Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.CompliantTrue
Registry-149Set registry value 'NTLMMinClientSec' to 537395200.CompliantTrue
Registry-150Set registry value 'LmCompatibilityLevel' to 5.CompliantTrue
Registry-151Set registry value 'allownullsessionfallback' to 0.CompliantTrue
Registry-152Set registry value 'NTLMMinServerSec' to 537395200.CompliantTrue
Registry-153Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-154Set registry value 'RequireSecuritySignature' to 1.CompliantTrue
Registry-155Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-156Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-157Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-158Set registry value 'requiresecuritysignature' to 1.CompliantTrue
Registry-159Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-160Set registry value 'ConsentPromptBehaviorAdmin' to 2.CompliantTrue
Registry-161Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-162Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-163Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-164Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-165Set registry value 'FilterAdministratorToken' to 1.CompliantTrue
Registry-166Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-167Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-168Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA).CompliantTrue
Registry-223Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
Registry-224Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1.Registry key not found.False
Registry-225Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-226Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-227Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-228Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-229Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-230Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.CompliantTrue
Registry-231Set registry value 'CheckExeSignatures' to yes.CompliantTrue
Registry-232Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.CompliantTrue
Registry-233Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.CompliantTrue
Registry-234Set registry value 'Isolation' to PMEM.CompliantTrue
Registry-235Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-236Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-237Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-238Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-239Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-240Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-241Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-242Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-243Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-244Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-245Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-246Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-247Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-248Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-249Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-250Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-251Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-252Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-253Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-254Set registry value '(Reserved)' to 1.CompliantTrue
Registry-255Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-256Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-257Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-258Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-259Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-260Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-261Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry value not found.False
Registry-262Set registry value 'NoCrashDetection' to 1.CompliantTrue
Registry-263Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.CompliantTrue
Registry-264Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-265Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-266Set registry value 'Security_zones_map_edit' to 1.CompliantTrue
Registry-267Set registry value 'Security_options_edit' to 1.CompliantTrue
Registry-268Set registry value 'Security_HKLM_only' to 1.CompliantTrue
Registry-269Ensure 'Check for server certificate revocation' is set to 'Enabled'.CompliantTrue
Registry-270Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.CompliantTrue
Registry-271Set registry value 'WarnOnBadCertRecving' to 1.CompliantTrue
Registry-272Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-273Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.CompliantTrue
Registry-274Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-275Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-276Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-277Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-278Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-279Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-280Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.CompliantTrue
Registry-281Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-282Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-283Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-284Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-285Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-286Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-287Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-288Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-289Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-290Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-291Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-292Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-293Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-294Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-295Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-296Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-297Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-298Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-299Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-300Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-301Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-302Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-303Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-304Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-305Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-306Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-307Ensure 'Logon options' is set to 'Prompt for user name and password'.CompliantTrue
Registry-308Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-309Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-310Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-311Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-312Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-313Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-314Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-315Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-316Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-317Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry value not found.False
Registry-318Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry value is '3'. Expected: 1False
Registry-319Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-320Set registry value '140C' to 3. (Zones\3)Registry value not found.False
Registry-321Ensure 'Allow META REFRESH' is set to 'Disable'.CompliantTrue
Registry-322Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-323Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-324Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-325Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-326Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-327Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-328Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-329Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-330Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-331Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-332Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-333Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-334Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-335Ensure 'Allow binary and script behaviors' is set to 'Disable'.CompliantTrue
Registry-336Ensure 'Scripting of Java applets' is set to 'Disable'.CompliantTrue
Registry-337Ensure 'Allow file downloads' is set to 'Disable'.CompliantTrue
Registry-338Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-339Ensure 'Allow active scripting' is set to 'Disable'.CompliantTrue
Registry-340Ensure 'Logon options' is set to 'Anonymous logon'.CompliantTrue
Registry-341Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-342Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-343Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-344Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-345Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-346Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-347Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-348Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-349Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-350Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-351Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-352Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.CompliantTrue
Registry-353Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-354Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-355Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.CompliantTrue
Registry-356Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-357Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry value is '1'. Expected: 3False
Registry-358Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-359Set registry value '140C' to 3. (Zones\4)Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-170Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-171Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-172Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-173Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-174Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-175Ensure 'SeCreatePermanentPrivilege' is set to ''CompliantTrue
UserRight-176Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-177Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-178Ensure 'SeLockMemoryPrivilege' is set to ''CompliantTrue
UserRight-179Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-180Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
UserRight-181Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-182Ensure 'SeCreateTokenPrivilege' is set to ''CompliantTrue
UserRight-183Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-184Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-185Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-186Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'CompliantTrue
UserRight-187Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-188Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
UserRight-189Ensure 'SeTrustedCredManAccessPrivilege' is set to ''CompliantTrue
UserRight-190Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-191Ensure 'SeTcbPrivilege' is set to ''CompliantTrue
UserRight-192Ensure 'SeEnableDelegationPrivilege' is set to ''CompliantTrue

Account Policies-

IdTaskMessageStatus
AccountPolicy-216Ensure 'MinimumPasswordLength' is set to '14'.CompliantTrue
AccountPolicy-217Ensure 'PasswordComplexity' is set to '1'.CompliantTrue
AccountPolicy-218Ensure 'PasswordHistorySize' is set to '24'.CompliantTrue
AccountPolicy-219Ensure 'LockoutBadCount' is set to '10'.CompliantTrue
AccountPolicy-220Ensure 'ResetLockoutCount' is set to '15'.CompliantTrue
AccountPolicy-221Ensure 'LockoutDuration' is set to '15'.CompliantTrue
AccountPolicy-222Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-193Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-194Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-195Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-196Ensure 'Plug and Play Events' is set to 'Success'.CompliantTrue
AuditPolicy-197Ensure 'Process Creation' is set to 'Success'.CompliantTrue
AuditPolicy-198Ensure 'Account Lockout' is set to 'Failure'.CompliantTrue
AuditPolicy-199Ensure 'Group Membership' is set to 'Success'.CompliantTrue
AuditPolicy-200Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-201Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-202Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-203Ensure 'Detailed File Share' is set to 'Failure'.CompliantTrue
AuditPolicy-204Ensure 'File Share' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-205Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-206Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-207Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-208Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-209Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-210Ensure 'Other Policy Change Events' is set to 'Failure'.CompliantTrue
AuditPolicy-211Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-212Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-213Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-214Ensure 'Security System Extension' is set to 'Success'.CompliantTrue
AuditPolicy-215Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. CompliantTrue
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. + +CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'. [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.CompliantTrue
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. + +CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. +The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. + +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or +more minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue

BSI Benchmarks SiSyPHus-BSI-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
3.1.1 AConfiguration of the lowest possible telemetry-level (Enterprise Windows 10)CompliantTrue
3.1.1 BConfiguration of the lowest possible telemetry-level (Non-Enterprise Windows 10)Registry value is '0'. Expected: 1False
3.1.2.1Deactivation of the telemetry service and ETW-sessions - disable service DiagTrackCompliantTrue
3.1.2.2Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diatrack-ListenerCompliantTrue
3.1.3.1.1Deactivation of telemetry according to Microsoft - Disable Windows Update ServiceRegistry value is '3'. Expected: 4False
3.1.3.1.2Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPSCompliantTrue
3.1.3.1.3Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample filesCompliantTrue

BSI Benchmarks SiSyPHus-BSI Bundespolizei-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.CompliantTrue
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
0121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.CompliantTrue
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.CompliantTrue
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.CompliantTrue
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.CompliantTrue
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.Registry key not found.False
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
0342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.CompliantTrue
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '10'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.CompliantTrue
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
0047 Ensure 'Adjust memory quotas for a process' set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'CompliantTrue
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'CompliantTrue
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'CompliantTrue
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SIDFalse
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'CompliantTrue
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'CompliantTrue
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'CompliantTrue
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SIDFalse
0182 Ensure 'Log on as a batch job' is set to 'Administrator'CompliantTrue
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines +The user 'SeServiceLogonRight' setting does not contain the following users: NULL SIDFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'CompliantTrue
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 120. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package.

Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
  • DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
  • CYBERGOVAU Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2020, Date 2020-10-01
  • Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 12/07/2022 10:32:36 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.

A total of 2682 tests have been executed.

  1. True 2157 test(s) ≙ 80.43%
  2. False 521 test(s) ≙ 19.43%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 4 test(s) ≙ 0.15%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 512 tests have been executed in section CIS Benchmarks.

  1. True 478 test(s) ≙ 93.36%
  2. False 33 test(s) ≙ 6.45%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.20%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 161 tests have been executed in section DISA Recommendations.

  1. True 133 test(s) ≙ 82.61%
  2. False 25 test(s) ≙ 15.53%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 3 test(s) ≙ 1.86%
  5. Error 0 test(s) ≙ 0.00%

CyberGovAu Benchmarks

A total of 381 tests have been executed in section CyberGovAu Benchmarks.

  1. True 196 test(s) ≙ 51.44%
  2. False 185 test(s) ≙ 48.56%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 357 tests have been executed in section Microsoft Benchmarks.

  1. True 306 test(s) ≙ 85.71%
  2. False 51 test(s) ≙ 14.29%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 48 test(s) ≙ 94.12%
  2. False 3 test(s) ≙ 5.88%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 327 test(s) ≙ 85.16%
  2. False 57 test(s) ≙ 14.84%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 252 test(s) ≙ 86.30%
  2. False 40 test(s) ≙ 13.70%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 223 test(s) ≙ 85.11%
  2. False 39 test(s) ≙ 14.89%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI

A total of 7 tests have been executed in section BSI Benchmarks SiSyPHus-BSI.

  1. True 5 test(s) ≙ 71.43%
  2. False 2 test(s) ≙ 28.57%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI Bundespolizei

A total of 275 tests have been executed in section BSI Benchmarks SiSyPHus-BSI Bundespolizei.

  1. True 189 test(s) ≙ 68.73%
  2. False 86 test(s) ≙ 31.27%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Security Base Data

System information

HostnameDESKTOP-UTMU75K.fb-pro.com
Domain roleMember Workstation
Operating SystemMicrosoft Windows 10 Pro
Build NumberVersion 21H2 (Build 19044.2251)
Installation LanguageEnglish (United States)
System Uptime0:01:58:33
Free disk space40.3 GB
Free physical memory23.1% (4.8 GB / 20.7 GB)

Table Of Contents

Click the link(s) below for quick access to a report section.

Security Base Data Details

Security Base Data-

Platform Security-

IdTaskMessageStatus
SBD-001Ensure the system is booting in 'UEFI' mode.CompliantTrue
SBD-002Ensure the system is using SecureBoot.CompliantTrue
SBD-003Ensure the TPM Chip is 'present'.CompliantTrue
SBD-004Ensure the TPM Chip is 'ready'.CompliantTrue
SBD-005Ensure the TPM Chip is 'enabled'.CompliantTrue
SBD-006Ensure the TPM Chip is 'activated'.CompliantTrue
SBD-007Ensure the TPM Chip is 'owned'.CompliantTrue
SBD-008Ensure the TPM Chip is implementing specification version 2.0 or higher.CompliantTrue

Windows Base Security-

IdTaskMessageStatus
SBD-009Get amount of active local users on system.CompliantTrue
SBD-010Get amount of users and groups in administrators group on system.Amount of entries: 2; + True
SBD-011Ensure the status of the Bitlocker service is 'Running'.CompliantTrue
SBD-012Ensure that Bitlocker is activated on all volumes.Bitlocker is not activated on all volumes.False
SBD-013Ensure the status of the Windows Defender service is 'Running'.CompliantTrue
SBD-014Ensure Windows Defender Application Guard is enabled.Windows Defender Application Guard is not enabled.False
SBD-015Ensure the Windows Firewall is enabled on all profiles.CompliantTrue
SBD-016Check if the last successful search for updates was in the past 24 hours.CompliantTrue
SBD-017Check if the last successful installation of updates was in the past 5 days.CompliantTrue
SBD-018Ensure Virtualization Based Security is enabled and running.CompliantTrue
SBD-019Ensure Hypervisor-protected Code Integrity (HVCI) is running.CompliantTrue
SBD-020Ensure Credential Guard is running.CompliantTrue
SBD-021Ensure Attack Surface Reduction (ASR) rules are enabled.Compliant (12 rules enabled). For more information on ASR rules, check corresponding benchmarks.True

PowerShell Security-

IdTaskMessageStatus
SBD-022Ensure PowerShell Version is set to version 5 or higher.CompliantTrue
SBD-023Ensure PowerShell Version 2 is uninstalled.PowerShell Version 2 is supported.False
SBD-024Ensure PowerShell is set to configured to use Constrained Language.Language Mode is not set to 'Constrained Language'. Current configuration: FullLanguageFalse
SBD-025Ensure Execution policy is set to set to AllSigned / RemoteSigned.CompliantTrue
SBD-026Ensure PowerShell Commandline Audting is set to 'Enabled'.CompliantTrue
SBD-027Ensure PowerShell Module Logging is set to 'Enabled'.PowerShell Module Logging is not set to 'Enabled'.False
SBD-028Ensure PowerShell ScriptBlockLogging is set to 'Enabled'.CompliantTrue
SBD-029Ensure PowerShell ScriptBlockInvocationLogging is set to 'Enabled'.PowerShell ScriptBlockInvocationLogging is not set to 'Enabled'.False
SBD-030Ensure PowerShell Transcripting is set to 'Enabled'.PowerShell Transcripting is not set to 'Enabled'.False
SBD-031Ensure PowerShell InvocationHeader is set to 'Enabled'.PowerShell InvocationHeader is not set to 'Enabled'.False
SBD-032Ensure PowerShell ProtectedEventLogging is set to set to 'Enabled'.PowerShell ProtectedEventLogging is not set to 'Enabled'.False
SBD-033Ensure .NET Framework version supports PowerShell Version 2 is uninstalled.CompliantTrue

Connectivity Security-

IdTaskMessageStatus
SBD-034Ensure system is configured to deny remote access via Terminal Services.CompliantTrue
SBD-035Ensure system is configured to prevent RDP service.CompliantTrue
SBD-036Ensure NTLM Session Server Security settings are configured.CompliantTrue
SBD-037Ensure WinFW Service is running.CompliantTrue
SBD-038Ensure NetBios is set to 'Disabled'.NetBios is 'Enabled'.False
SBD-039Ensure SMBv1 is set to 'Disabled'.CompliantTrue

Application Control-

IdTaskMessageStatus
SBD-040Ensure Windows Defender Application Control (WDAC) is available.Only supported on Windows 10 Enterprise.None
SBD-041Ensure Windows Defender Application ID Service is running.AppLocker is not running. Currently: StoppedFalse

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How do we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

Contact us:

FB Pro GmbH

Fon: +49 6727 7559039

Web: https://www.fb-pro.com/

Mail: info@fb-pro.com

Can we help you?

Do you need support with system hardening?

Our team of system hardening experts will be happy to provide you with advice and support.

Contact us for a no-obligation inquiry!

\ No newline at end of file diff --git a/Samples/Microsoft Windows 10 All_RiskScore.html b/Samples/Microsoft Windows 10 All_RiskScore.html new file mode 100644 index 0000000..3826ec0 --- /dev/null +++ b/Samples/Microsoft Windows 10 All_RiskScore.html @@ -0,0 +1,35 @@ +Windows 10 Report [12/07/2022 10:37:11]

Windows 10 Report

521
2157
2682
80.43
31
0

Hardening Settings

Table Of Contents

Click the link(s) below for quick access to a report section.

Benchmark Details

CIS Benchmarks-

This section contains the CIS Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1.1.6(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'CompliantTrue
2.3.1.2(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
2.3.1.4(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'CompliantTrue
2.3.2.1(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
2.3.2.2(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
2.3.4.1(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'CompliantTrue
2.3.4.2(L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
2.3.6.1(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
2.3.6.2(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.3(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.4(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
2.3.6.5(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
2.3.6.6(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
2.3.7.1(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'CompliantTrue
2.3.7.2(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'CompliantTrue
2.3.7.3(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
2.3.7.4(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
2.3.7.5(L1) Configure 'Interactive logon: Message text for users attempting to log on'CompliantTrue
2.3.7.6(L1) Configure 'Interactive logon: Message title for users attempting to log on'CompliantTrue
2.3.7.7(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
2.3.7.8(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'CompliantTrue
2.3.7.9(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higherCompliantTrue
2.3.8.1(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.8.2(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
2.3.8.3(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
2.3.9.1(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
2.3.9.2(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
2.3.9.3(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
2.3.9.4(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
2.3.9.5(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higherCompliantTrue
2.3.10.1(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
2.3.10.2(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
2.3.10.3(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
2.3.10.4(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
2.3.10.5(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
2.3.10.6(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.7(L1) Ensure 'Network access: Remotely accessible registry paths' is configuredCompliantTrue
2.3.10.8(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configuredCompliantTrue
2.3.10.9(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
2.3.10.10(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
2.3.10.11(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'CompliantTrue
2.3.10.12(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'CompliantTrue
2.3.11.1(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
2.3.11.2(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
2.3.11.3(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
2.3.11.7(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
2.3.11.8(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
2.3.11.9(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.11.10(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
2.3.14.1(L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
2.3.15.1(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
2.3.15.2(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
2.3.17.1(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
2.3.17.2(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
2.3.17.3(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
2.3.17.4(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
2.3.17.5(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
2.3.17.6(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
2.3.17.7(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
2.3.17.8(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
5.1(L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.2(L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'Registry value is '3'. Expected: 4False
5.3(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.4(L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'CompliantTrue
5.5(L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'CompliantTrue
5.6(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.7(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.8(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'CompliantTrue
5.9(L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'CompliantTrue
5.10(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.11(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.12(L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'CompliantTrue
5.13(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.14(L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'CompliantTrue
5.15(L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'CompliantTrue
5.16(L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'CompliantTrue
5.17(L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'CompliantTrue
5.18(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.19(L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'CompliantTrue
5.20(L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'CompliantTrue
5.21(L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'CompliantTrue
5.22(L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'CompliantTrue
5.23(L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'CompliantTrue
5.24(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'CompliantTrue
5.25(L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'CompliantTrue
5.26(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'CompliantTrue
5.27(L2) Ensure 'Server (LanmanServer)' is set to 'Disabled'CompliantTrue
5.28(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.29(L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.30(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.31(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'CompliantTrue
5.32(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'CompliantTrue
5.33(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.34(L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'CompliantTrue
5.35(L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'CompliantTrue
5.36(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.37(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'CompliantTrue
5.38(L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'CompliantTrue
5.39(L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'CompliantTrue
5.40(L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'Registry value is '2'. Expected: 4False
5.41(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'CompliantTrue
5.42(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'CompliantTrue
5.43(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'CompliantTrue
5.44(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'CompliantTrue
5.45(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'CompliantTrue
9.1.1(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'CompliantTrue
9.1.2(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'CompliantTrue
9.1.3(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.1.4(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'CompliantTrue
9.1.5(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
9.1.6(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.2.1(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'CompliantTrue
9.2.2(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'CompliantTrue
9.2.3(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.2.4(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'CompliantTrue
9.2.5(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
9.2.6(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.2.7(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.2.8(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.3.1(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'CompliantTrue
9.3.2(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'CompliantTrue
9.3.3(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'Registry value is '0'. Expected: 1False
9.3.4(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'CompliantTrue
9.3.5(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
9.3.6(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
9.3.7(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
9.3.8(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
9.3.9(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
9.3.10(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'CompliantTrue
18.1.1.1(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
18.1.1.2(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
18.1.2.2(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'CompliantTrue
18.1.3(L2) Ensure 'Allow Online Tips' is set to 'Disabled'CompliantTrue
18.2.2(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'CompliantTrue
18.2.3(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'CompliantTrue
18.2.4(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'CompliantTrue
18.2.5(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'CompliantTrue
18.2.6(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'CompliantTrue
18.3.1(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
18.3.2(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'CompliantTrue
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
18.3.4(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
18.3.5(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)CompliantTrue
18.3.6(L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')CompliantTrue
18.3.7(L1) Ensure 'WDigest Authentication' is set to 'Disabled'CompliantTrue
18.4.1(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'CompliantTrue
18.4.2(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.3(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'CompliantTrue
18.4.4(L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'CompliantTrue
18.4.5(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
18.4.6(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'CompliantTrue
18.4.7(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
18.4.8(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'CompliantTrue
18.4.9(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'CompliantTrue
18.4.10(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18.4.11(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.12(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'CompliantTrue
18.4.13(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
18.5.4.1(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higherCompliantTrue
18.5.4.2(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
18.5.5.1(L2) Ensure 'Enable Font Providers' is set to 'Disabled'CompliantTrue
18.5.8.1(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
18.5.9.1 A(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain)CompliantTrue
18.5.9.1 B(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public)CompliantTrue
18.5.9.1 C(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO),CompliantTrue
18.5.9.1 D(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private)CompliantTrue
18.5.9.2 A(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnDomain)CompliantTrue
18.5.9.2 B(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnPublicNet)CompliantTrue
18.5.9.2 C(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)CompliantTrue
18.5.9.2 D(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (ProhibitRspndrOnPrivateNet)CompliantTrue
18.5.10.2(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
18.5.11.2(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.3(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
18.5.11.4(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'CompliantTrue
18.5.14.1 A(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.14.1 B(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'CompliantTrue
18.5.19.2.1(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')CompliantTrue
18.5.20.1(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'CompliantTrue
18.5.20.2(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'CompliantTrue
18.5.21.1(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'Registry value not found.False
18.5.21.2(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
18.5.23.2.1(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
18.6.1(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'CompliantTrue
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'CompliantTrue
18.7.1.1(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'CompliantTrue
18.8.3.1(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
18.8.4.1(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'CompliantTrue
18.8.4.2(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
18.8.5.1(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
18.8.5.2(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'CompliantTrue
18.8.5.3(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.4(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'CompliantTrue
18.8.5.5(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'CompliantTrue
18.8.5.6(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'CompliantTrue
18.8.7.1.1(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
18.8.7.1.2(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A'CompliantTrue
18.8.7.1.3(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)Registry value not found.False
18.8.7.1.4(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
18.8.7.1.5(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes'CompliantTrue
18.8.7.1.6(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)CompliantTrue
18.8.7.2(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)CompliantTrue
18.8.14.1(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'CompliantTrue
18.8.21.2(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'CompliantTrue
18.8.21.3(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'CompliantTrue
18.8.21.4(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'CompliantTrue
18.8.21.5(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
18.8.22.1.1(L2) Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
18.8.22.1.2(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.3(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'CompliantTrue
18.8.22.1.4(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.5(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.6(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'CompliantTrue
18.8.22.1.7(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'CompliantTrue
18.8.22.1.8(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'CompliantTrue
18.8.22.1.9(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'CompliantTrue
18.8.22.1.10(L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'CompliantTrue
18.8.22.1.11(L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'CompliantTrue
18.8.22.1.12(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.13(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'CompliantTrue
18.8.22.1.14 A(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'CompliantTrue
18.8.22.1.14 B(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'Registry value is '0'. Expected: x == 1False
18.8.25.1 A(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)CompliantTrue
18.8.25.1 B(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)CompliantTrue
18.8.26.1(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'CompliantTrue
18.8.27.1(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'CompliantTrue
18.8.28.1(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'CompliantTrue
18.8.28.2(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
18.8.28.3(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'CompliantTrue
18.8.28.4(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
18.8.28.5(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
18.8.28.6(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
18.8.28.7(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
18.8.31.1(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'CompliantTrue
18.8.31.2(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'CompliantTrue
18.8.34.6.1(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.2(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.3(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'CompliantTrue
18.8.34.6.4(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'CompliantTrue
18.8.34.6.5(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'CompliantTrue
18.8.34.6.6(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'CompliantTrue
18.8.36.1(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.36.2(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
18.8.37.1(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'CompliantTrue
18.8.37.2(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'CompliantTrue
18.8.48.5.1(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
18.8.48.11.1(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'CompliantTrue
18.8.50.1(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'CompliantTrue
18.8.53.1.1(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
18.8.53.1.2(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled'CompliantTrue
18.9.4.1(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'CompliantTrue
18.9.4.2(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'CompliantTrue
18.9.5.1(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'CompliantTrue
18.9.6.1(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'CompliantTrue
18.9.6.2(L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'CompliantTrue
18.9.8.1(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
18.9.8.2(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'CompliantTrue
18.9.8.3(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'CompliantTrue
18.9.10.1.1(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'CompliantTrue
18.9.11.1.1(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.1.2(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.1.3(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.1.4(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password'CompliantTrue
18.9.11.1.5(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'CompliantTrue
18.9.11.1.6(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.1.7(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.8(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.1.9(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.1.10(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.11(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'CompliantTrue
18.9.11.1.12(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'CompliantTrue
18.9.11.1.13(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.1(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
18.9.11.2.2(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
18.9.11.2.3(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
18.9.11.2.4(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'CompliantTrue
18.9.11.2.5(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'CompliantTrue
18.9.11.2.6(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.2.7(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.2.8(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.9(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'CompliantTrue
18.9.11.2.10(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'CompliantTrue
18.9.11.2.11(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.12(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'CompliantTrue
18.9.11.2.13(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
18.9.11.2.14(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'CompliantTrue
18.9.11.3.1(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'CompliantTrue
18.9.11.3.2(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
18.9.11.3.3(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'CompliantTrue
18.9.11.3.4(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'Registry value not found.False
18.9.11.3.5(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'CompliantTrue
18.9.11.3.6(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'CompliantTrue
18.9.11.3.7(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.8(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'CompliantTrue
18.9.11.3.9(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'CompliantTrue
18.9.11.3.10(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'CompliantTrue
18.9.11.3.11(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'Registry value not found.False
18.9.11.3.12(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'CompliantTrue
18.9.11.3.13(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'CompliantTrue
18.9.11.3.14(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'CompliantTrue
18.9.11.3.15(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'CompliantTrue
18.9.11.4(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
18.9.12.1(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.14.1(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'CompliantTrue
18.9.14.2(L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'CompliantTrue
18.9.14.3(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
18.9.15.1(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'CompliantTrue
18.9.16.1(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
18.9.16.2(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'CompliantTrue
18.9.16.3(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
18.9.17.1(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'CompliantTrue
18.9.17.2(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'CompliantTrue
18.9.17.3(L1) Ensure 'Disable OneSettings Downloads' is enabled.CompliantTrue
18.9.17.4(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'CompliantTrue
18.9.17.5(L1) Ensure 'Enable OneSettings Auditing' is set to 'EnabledCompliantTrue
18.9.17.6(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'CompliantTrue
18.9.17.7(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'CompliantTrue
18.9.17.8(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'CompliantTrue
18.9.18.1(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'CompliantTrue
18.9.27.1.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.1.2(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.2.1(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.2.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
18.9.27.3.1(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.3.2(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.27.4.1(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
18.9.27.4.2(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
18.9.31.2(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'CompliantTrue
18.9.31.3(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
18.9.31.4(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
18.9.36.1(L1) Ensure 'Prevent the computer from joining a homegroup' set to 'Enabled'.CompliantTrue
18.9.41.1(L2) Ensure 'Turn off location' is set to 'Enabled'CompliantTrue
18.9.45.1(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'CompliantTrue
18.9.46.1(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
18.9.47.4.1(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.4.2(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'CompliantTrue
18.9.47.5.1.1(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
18.9.47.5.3.1(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'CompliantTrue
18.9.47.6.1(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'CompliantTrue
18.9.47.9.1(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'CompliantTrue
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'CompliantTrue
18.9.47.9.3(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
18.9.47.9.4(L1) Ensure 'Turn on script scanning' is set to 'Enabled'CompliantTrue
18.9.47.11.1(L2) Ensure 'Configure Watson events' is set to 'Disabled'CompliantTrue
18.9.47.12.1(L1) Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
18.9.47.12.2(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
18.9.47.15(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'CompliantTrue
18.9.47.16(L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'CompliantTrue
18.9.48.1(NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled'CompliantTrue
18.9.48.2(NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.3(NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.4(NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled'CompliantTrue
18.9.48.5(NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'CompliantTrue
18.9.48.6(NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1'CompliantTrue
18.9.57.1(L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'CompliantTrue
18.9.58.1(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
18.9.64.1(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'CompliantTrue
18.9.65.2.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
18.9.65.3.2.1(L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
18.9.65.3.3.1(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled'CompliantTrue
18.9.65.3.3.2(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.4(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.5(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.3.6(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.1(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
18.9.65.3.9.2(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.3(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'CompliantTrue
18.9.65.3.9.4(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
18.9.65.3.9.5(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'CompliantTrue
18.9.65.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'CompliantTrue
18.9.65.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'CompliantTrue
18.9.65.3.11.1(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'CompliantTrue
18.9.66.1(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
18.9.67.2(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'CompliantTrue
18.9.67.3(L1) Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
18.9.67.4(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'CompliantTrue
18.9.67.5(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
18.9.67.6(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'CompliantTrue
18.9.72.1(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'CompliantTrue
18.9.75.1(L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'Registry value not found.False
18.9.75.2(L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'CompliantTrue
18.9.75.3(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'CompliantTrue
18.9.75.4(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'CompliantTrue
18.9.75.5(L2) Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
18.9.81.1(L1) Ensure 'Allow widgets' is set to 'Disabled'CompliantTrue
18.9.85.1.1 A(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'CompliantTrue
18.9.85.1.1 B(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)CompliantTrue
18.9.85.2.1(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
18.9.85.2.2(L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' (PreventOverride).CompliantTrue
18.9.87.1(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
18.9.89.1(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'CompliantTrue
18.9.89.2(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'CompliantTrue
18.9.90.1(L1) Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
18.9.90.2(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (LocalMachine)CompliantTrue
18.9.90.3(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'CompliantTrue
18.9.91.1(L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
18.9.100.1(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.CompliantTrue
18.9.100.2(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue
18.9.102.1.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.1.2(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.1.3(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
18.9.102.2.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
18.9.102.2.2(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'Registry value not found.False
18.9.102.2.3(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
18.9.102.2.4(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
18.9.103.1(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
18.9.104.1(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.104.2(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'CompliantTrue
18.9.105.2.1(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
18.9.108.1.1(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
18.9.108.2.1(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
18.9.108.2.2(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'CompliantTrue
18.9.108.2.3(L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'CompliantTrue
18.9.108.4.1(L1) Ensure 'Manage preview builds' is set to 'Disabled' (Automated)Registry value is '0'. Expected: 1False
18.9.108.4.2 A(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'CompliantTrue
18.9.108.4.2 B(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays)CompliantTrue
18.9.108.4.3 A(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'. (DeferQualityUpdates)CompliantTrue
18.9.108.4.3 B(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)CompliantTrue
19.7.8.5(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
2.2.1(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
2.2.2(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
2.2.3(L1) Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
2.2.4(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.5(L1) Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
2.2.6(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
2.2.7(L1) Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
2.2.8(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'CompliantTrue
2.2.9(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'CompliantTrue
2.2.10(L1) Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
2.2.11(L1) Ensure 'Create a token object' is set to 'No One'CompliantTrue
2.2.12(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
2.2.13(L1) Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
2.2.14 A(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' [Hyper-V-Feature installed]The user 'SeCreateSymbolicLinkPrivilege' setting does not contain the following users: NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.14 B(L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed)Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed.None
2.2.15(L1) Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
2.2.16(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'CompliantTrue
2.2.17(L1) Ensure 'Deny log on as a batch job' to include 'Guests'CompliantTrue
2.2.18(L1) Ensure 'Deny log on as a service' to include 'Guests'CompliantTrue
2.2.19(L1) Ensure 'Deny log on locally' to include 'Guests'CompliantTrue
2.2.20(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
2.2.21(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
2.2.22(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
2.2.23(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [ADFS-ROLE NOT installed]CompliantTrue
2.2.24(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [IIS Role NOT installed]CompliantTrue
2.2.25(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'CompliantTrue
2.2.26(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
2.2.27(L1) Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
2.2.28(L2) Ensure 'Log on as a batch job' is set to 'Administrators'CompliantTrue
2.2.29(L2) Configure 'Log on as a service' [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
2.2.30(L1) Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
2.2.31(L1) Ensure 'Modify an object label' is set to 'No One'CompliantTrue
2.2.32(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
2.2.33(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
2.2.34(L1) Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
2.2.35(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'CompliantTrue
2.2.36(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.37(L1) Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
2.2.38(L1) Ensure 'Shut down the system' is set to 'Administrators, Users'CompliantTrue
2.2.39(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1.1.1(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'CompliantTrue
1.1.2(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'CompliantTrue
1.1.3(L1) Ensure 'Minimum password age' is set to '1 or more day(s)'CompliantTrue
1.1.4(L1) Ensure 'Minimum password length' is set to '14 or more character(s)'CompliantTrue
1.1.5(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'CompliantTrue
1.2.1(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
1.2.2(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'CompliantTrue
1.2.3(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
17.1.1(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
17.2.1(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
17.2.2(L1) Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
17.2.3(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
17.3.1(L1) Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
17.3.2(L1) Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
17.5.1(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
17.5.2(L1) Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
17.5.3(L1) Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
17.5.4(L1) Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
17.5.5(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
17.5.6(L1) Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
17.6.1(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
17.6.2(L1) Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
17.6.3(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
17.6.4(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
17.7.1(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
17.7.2(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
17.7.3(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
17.7.4(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
17.7.5(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
17.8.1(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue
17.9.1(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'CompliantTrue
17.9.2(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
17.9.3(L1) Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
17.9.4(L1) Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
17.9.5(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue

DISA Recommendations-

This section contains the DISA STIG results.

Registry Settings/Group Policies-

IdTaskMessageStatus
WN10-CC-000310Users must be prevented from changing installation options.CompliantTrue
WN10-CC-000315The Windows Installer Always install with elevated privileges must be disabled.CompliantTrue
WN10-CC-000320Users must be notified if a web-based program attempts to install software.CompliantTrue
WN10-CC-000325Automatically signing in the last interactive user after a system-initiated restart must be disabled.CompliantTrue
WN10-CC-000330The Windows Remote Management (WinRM) client must not use Basic authentication.CompliantTrue
WN10-CC-000335The Windows Remote Management (WinRM) client must not allow unencrypted traffic.CompliantTrue
WN10-CC-000340The Windows Remote Management (WinRM) client must not use Digest authentication.CompliantTrue
WN10-CC-000345The Windows Remote Management (WinRM) service must not use Basic authentication.CompliantTrue
WN10-CC-000350The Windows Remote Management (WinRM) service must not allow unencrypted traffic.CompliantTrue
WN10-CC-000355The Windows Remote Management (WinRM) service must not store RunAs credentials.CompliantTrue
WN10-AU-000500The Application event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-AU-000505The Security event log size must be configured to 1024000 KB or greater.Registry value is '196608'. Expected: 1024000False
WN10-AU-000510The System event log size must be configured to 32768 KB or greater.CompliantTrue
WN10-CC-000005Camera access from the lock screen must be disabled.CompliantTrue
WN10-CC-000010The display of slide shows on the lock screen must be disabled.CompliantTrue
WN10-CC-000020IPv6 source routing must be configured to highest protection.CompliantTrue
WN10-CC-000025The system must be configured to prevent IP source routing.CompliantTrue
WN10-CC-000030The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.CompliantTrue
WN10-CC-000035The system must be configured to ignore NetBIOS name release requests except from WINS servers.CompliantTrue
WN10-CC-000040Insecure logons to an SMB server must be disabled.CompliantTrue
WN10-CC-000055Simultaneous connections to the Internet or a Windows domain must be limited.Registry value not found.False
WN10-CC-000060Connections to non-domain networks when connected to a domain authenticated network must be blocked.CompliantTrue
WN10-CC-000065Wi-Fi Sense must be disabled.CompliantTrue
WN10-CC-000037Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.CompliantTrue
WN10-CC-000085Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.Registry value is '3'. Expected: 8False
WN10-CC-000090Group Policy objects must be reprocessed even if they have not changed.CompliantTrue
WN10-CC-000100Downloading print driver packages over HTTP must be prevented.CompliantTrue
WN10-SO-000015Local accounts with blank passwords must be restricted to prevent access from the network.CompliantTrue
WN10-CC-000105Web publishing and online ordering wizards must be prevented from downloading a list of providers.CompliantTrue
WN10-CC-000110Printing over HTTP must be prevented.CompliantTrue
WN10-CC-000115Systems must at least attempt device authentication using certificates.CompliantTrue
WN10-CC-000120The network selection user interface (UI) must not be displayed on the logon screen.CompliantTrue
WN10-CC-000130Local users on domain-joined computers must not be enumerated.CompliantTrue
WN10-SO-000030Audit policy using subcategories must be enabled.CompliantTrue
WN10-SO-000035Outgoing secure channel traffic must be encrypted or signed.CompliantTrue
WN10-SO-000040Outgoing secure channel traffic must be encrypted when possible.CompliantTrue
WN10-CC-000145Users must be prompted for a password on resume from sleep (on battery).CompliantTrue
WN10-SO-000045Outgoing secure channel traffic must be signed when possible.CompliantTrue
WN10-CC-000150The user must be prompted for a password on resume from sleep (plugged in).CompliantTrue
WN10-CC-000155Solicited Remote Assistance must not be allowed.CompliantTrue
WN10-SO-000050The computer account password must not be prevented from being reset.CompliantTrue
WN10-CC-000165Unauthenticated RPC clients must be restricted from connecting to the RPC server.CompliantTrue
WN10-CC-000170The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.CompliantTrue
WN10-CC-000175The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.Registry key not found.False
WN10-SO-000060The system must be configured to require a strong session key.CompliantTrue
WN10-CC-000180Autoplay must be turned off for non-volume devices.CompliantTrue
WN10-SO-000070The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.CompliantTrue
WN10-CC-000185The default autorun behavior must be configured to prevent autorun commands.CompliantTrue
WN10-CC-000190Autoplay must be disabled for all drives.CompliantTrue
WN10-CC-000195Enhanced anti-spoofing for facial recognition must be enabled on Window 10.CompliantTrue
WN10-CC-000200Administrator accounts must not be enumerated during elevation.CompliantTrue
WN10-CC-000215Explorer Data Execution Prevention must be enabled.CompliantTrue
WN10-CC-000220Turning off File Explorer heap termination on corruption must be disabled.CompliantTrue
WN10-CC-000225File Explorer shell protocol must run in protected mode.CompliantTrue
WN10-SO-000095The Smart Card removal option must be configured to Force Logoff or Lock Workstation.CompliantTrue
WN10-CC-000230Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.CompliantTrue
WN10-CC-000235Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.CompliantTrue
WN10-SO-000100The Windows SMB client must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000240InPrivate browsing in Microsoft Edge must be disabled.CompliantTrue
WN10-SO-000105The Windows SMB client must be enabled to perform SMB packet signing when possible.CompliantTrue
WN10-SO-000110Unencrypted passwords must not be sent to third-party SMB Servers.CompliantTrue
WN10-CC-000250The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.CompliantTrue
WN10-CC-000255The use of a hardware security device with Windows Hello for Business must be enabled.Registry key not found.False
WN10-SO-000120The Windows SMB server must be configured to always perform SMB packet signing.CompliantTrue
WN10-CC-000260Windows 10 must be configured to require a minimum pin length of six characters or greater.Registry key not found.False
WN10-SO-000125The Windows SMB server must perform SMB packet signing when possible.CompliantTrue
WN10-CC-000270Passwords must not be saved in the Remote Desktop Client.CompliantTrue
WN10-CC-000275Local drives must be prevented from sharing with Remote Desktop Session Hosts.CompliantTrue
WN10-CC-000280Remote Desktop Services must always prompt a client for passwords upon connection.CompliantTrue
WN10-CC-000285The Remote Desktop Session Host must require secure RPC communications.CompliantTrue
WN10-CC-000290Remote Desktop Services must be configured with the client connection encryption set to the required level.CompliantTrue
WN10-CC-000295Attachments must be prevented from being downloaded from RSS feeds.CompliantTrue
WN10-SO-000145Anonymous enumeration of SAM accounts must not be allowed.CompliantTrue
WN10-CC-000300Basic authentication for RSS feeds over HTTP must not be used.CompliantTrue
WN10-SO-000150Anonymous enumeration of shares must be restricted.CompliantTrue
WN10-CC-000305Indexing of encrypted files must be turned off.CompliantTrue
WN10-SO-000160The system must be configured to prevent anonymous users from having the same rights as the Everyone group.CompliantTrue
WN10-SO-000165Anonymous access to Named Pipes and Shares must be restricted.CompliantTrue
WN10-SO-000175Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.CompliantTrue
WN10-SO-000180NTLM must be prevented from falling back to a Null session.CompliantTrue
WN10-SO-000185PKU2U authentication using online identities must be prevented.CompliantTrue
WN10-SO-000190Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.CompliantTrue
WN10-SO-000195The system must be configured to prevent the storage of the LAN Manager hash of passwords.CompliantTrue
WN10-SO-000205The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.CompliantTrue
WN10-SO-000210The system must be configured to the required LDAP client signing level.CompliantTrue
WN10-SO-000215The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.CompliantTrue
WN10-SO-000220The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.CompliantTrue
WN10-SO-000230The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.Registry value is '0'. Expected: 1False
WN10-SO-000240The default permissions of global system objects must be increased.CompliantTrue
WN10-SO-000245User Account Control approval mode for the built-in Administrator must be enabled.CompliantTrue
WN10-SO-000250User Account Control must, at minimum, prompt administrators for consent on the secure desktop.CompliantTrue
WN10-SO-000255User Account Control must automatically deny elevation requests for standard users.Registry value is '3'. Expected: 0False
WN10-SO-000260User Account Control must be configured to detect application installations and prompt for elevation.CompliantTrue
WN10-SO-000265User Account Control must only elevate UIAccess applications that are installed in secure locations.CompliantTrue
WN10-SO-000270User Account Control must run all administrators in Admin Approval Mode, enabling UAC.CompliantTrue
WN10-SO-000275User Account Control must virtualize file and registry write failures to per-user locations.CompliantTrue
WN10-UC-000015Toast notifications to the lock screen must be turned off.Registry key not found.False
WN10-UC-000020Zone information must be preserved when saving attachments.Registry key not found.False
WN10-CC-000066Command line data must be included in process creation events.CompliantTrue
WN10-CC-000326PowerShell script block logging must be enabled.CompliantTrue
WN10-00-000150Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.CompliantTrue
WN10-CC-000038WDigest Authentication must be disabled.CompliantTrue
WN10-CC-000044Internet connection sharing must be disabled.CompliantTrue
WN10-CC-000197Microsoft consumer experiences must be turned off.CompliantTrue
WN10-CC-000228Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit.Registry key not found.False
WN10-CC-000252Windows 10 must be configured to disable Windows Game Recording and Broadcasting.CompliantTrue
WN10-CC-000068Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.CompliantTrue
WN10-00-000165The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.CompliantTrue
WN10-UC-000005The use of personal accounts for OneDrive synchronization must be disabled.Registry key not found.False
WN10-CC-000238Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.CompliantTrue
WN10-CC-000204If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
WN10-UR-000005The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000010The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
WN10-UR-000015The Act as part of the operating system user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000025The Allow log on locally user right must only be assigned to the Administrators and Users groups.CompliantTrue
WN10-UR-000030The Back up files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000035The Change the system time user right must only be assigned to Administrators and Local Service.CompliantTrue
WN10-UR-000040The Create a pagefile user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000045The Create a token object user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000050The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000055The Create permanent shared objects user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000065The Debug programs user right must only be assigned to the Administrators group.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
WN10-UR-000070 MWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyNetworkLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000070 SWThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000075 MWThe Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyBatchLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000080 MWThe Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.The user 'SeDenyServiceLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 MWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000085 SWThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000090 MWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: FB-PRO\Enterprise Admins, FB-PRO\Domain AdminsFalse
WN10-UR-000090 SWThe Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Not applicable. This audit applies only to StandaloneWorkstation.None
WN10-UR-000100The Force shutdown from a remote system user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000105The Generate security audits user right must only be assigned to Local Service and Network Service.CompliantTrue
WN10-UR-000110The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.CompliantTrue
WN10-UR-000115The Increase scheduling priority user right must only be assigned to the Administrators group.The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
WN10-UR-000120The Load and unload device drivers user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000125The Lock pages in memory user right must not be assigned to any groups or accounts.CompliantTrue
WN10-UR-000130The Manage auditing and security log user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000140The Modify firmware environment values user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000145The Perform volume maintenance tasks user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000150The Profile single process user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000160The Restore files and directories user right must only be assigned to the Administrators group.CompliantTrue
WN10-UR-000165The Take ownership of files or other objects user right must only be assigned to the Administrators group.CompliantTrue

Account Policies-

IdTaskMessageStatus
WN10-AC-000005Windows 10 account lockout duration must be configured to 15 minutes or greater.CompliantTrue
WN10-AC-000010The number of allowed bad logon attempts must be configured to 3 or less.'LockoutBadCount' currently set to: 5. Expected: x <= 3 and x != 0False
WN10-AC-000015The period of time before the bad logon counter is reset must be configured to 15 minutes.CompliantTrue
WN10-AC-000020The password history must be configured to 24 passwords remembered.CompliantTrue
WN10-AC-000025The maximum password age must be configured to 60 days or less.'MaximumPasswordAge' currently set to: 120. Expected: x <= 60False
WN10-AC-000030The minimum password age must be configured to at least 1 day.CompliantTrue
WN10-AC-000035Passwords must, at a minimum, be 14 characters.CompliantTrue
WN10-AC-000040The built-in Microsoft password complexity filter must be enabled.CompliantTrue
WN10-AC-000045Reversible password encryption must be disabled.CompliantTrue

Windows Features-

IdTaskMessageStatus
WN10-00-000100Internet Information System (IIS) or its subcomponents must not be installed on a workstation.CompliantTrue
WN10-00-000110Simple TCP/IP Services must not be installed on the system.CompliantTrue
WN10-00-000115The Telnet Client must not be installed on the system.CompliantTrue
WN10-00-000120The TFTP Client must not be installed on the system.CompliantTrue

File System Permissions-

IdTaskMessageStatus
WN10-AU-000515Permissions for the Application event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000520Permissions for the Security event log must prevent access by non-privileged accounts.CompliantTrue
WN10-AU-000525Permissions for the System event log must prevent access by non-privileged accounts.CompliantTrue

Registry Permissions-

IdTaskMessageStatus
WN10-RG-000005 ADefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.CompliantTrue
WN10-RG-000005 BDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False
WN10-RG-000005 CDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey'False

CyberGovAu Benchmarks-

This section contains the CyberGovAu Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1909.01Ensure 'Deploy Windows Defender Application Control' is set to 'Enabled'Registry value not found.False
1909.02.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.02.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.03.1Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'CompliantTrue
1909.03.2Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
1909.03.3Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
1909.03.4Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
1909.03.5Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
1909.03.6Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
1909.03.7Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
1909.03.8Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
1909.03.9Ensure 'Configure Attack Surface Reduction rules' is configured (Block executable files from running unless they meet a prevalence, age, or trusted list criterion).Registry value not found.False
1909.03.10Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware).Registry value is '0'. Expected: 1False
1909.03.11Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
1909.03.12Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block process creations originating from PSExec and WMI commands)Registry value not found.False
1909.03.13Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
1909.03.14Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
1909.03.15Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
1909.03.16Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
1909.04Ensure 'WDigest Authentication' is set to 'Disabled'Registry value is '0'. Expected: 1False
1909.05.1Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.2Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.05.3Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'CompliantTrue
1909.06.1Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.06.2Ensure 'Configure allowed applications' is set to 'Enabled'Registry key not found.False
1909.07.1Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.07.2Ensure 'Configure Controlled folder access' is set to 'Enabled'Registry key not found.False
1909.08.1Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.08.2Ensure 'Configure protected folders' is set to 'Enabled'Registry key not found.False
1909.09Ensure 'Do not display network selection UI' is set to 'Enabled'CompliantTrue
1909.10Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'CompliantTrue
1909.11Ensure 'Do not display the password reveal button' is set to 'Enabled'CompliantTrue
1909.12Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'Registry value not found.False
1909.13Ensure 'Require trusted path for credential entry' is set to 'Enabled'Registry value not found.False
1909.14Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'CompliantTrue
1909.15Ensure 'Disable or enable software Secure Attention Sequence' is set to 'Disabled'Registry value not found.False
1909.16Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'CompliantTrue
1909.17Ensure 'Require Ctrl-Alt-Del' is set to 'Disabled'Registry key not found.False
1909.18.1Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'Registry value is '3'. Expected: 1False
1909.19.1Ensure 'Use a common set of exploit protection settings' is set to 'Enabled'Registry key not found.False
1909.20Ensure 'Prevent users from modifying settings' is set to 'Enabled'CompliantTrue
1909.21Ensure 'Turn off Data Execution Prevention' is set to 'Disabled'Registry value not found.False
1909.22Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
1909.23Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'CompliantTrue
1909.24Ensure 'Allow Adobe Flash' is set to 'Disabled'CompliantTrue
1909.25Ensure 'Allow Developer Tools' is set to 'Disabled'Registry key not found.False
1909.27Ensure 'Configure Password Manager' is set to 'Disabled'CompliantTrue
1909.28Ensure 'Configure Pop-up Blocker' is set to 'Enabled'CompliantTrue
1909.30Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'CompliantTrue
1909.31Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'CompliantTrue
1909.34Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled'CompliantTrue
1909.36Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'CompliantTrue
1909.37Ensure 'Allow Automatic Updates immediate installation' is set to 'Enabled'Registry value not found.False
1909.38.1Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.2Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.38.3Ensure 'Configure Automatic Updates' is set to 'Enabled'CompliantTrue
1909.38.4Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.39Ensure 'Do not include drivers with Windows Updates' is set to 'Disabled'Registry value not found.False
1909.40Ensure 'Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates' is set to 'Enabled'Registry value not found.False
1909.41Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'CompliantTrue
1909.42Ensure 'Remove access to use all Windows Update features' is set to 'Disabled'Registry key not found.False
1909.43Ensure 'Turn on recommended updates via Automatic Updates' is set to 'Enabled'Registry value not found.False
1909.44.1Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.44.2Ensure 'Specify intranet Microsoft update service location' is set to 'Enabled'Registry value not found.False
1909.45Ensure 'Turn off picture password sign-in' is set to 'Enabled'CompliantTrue
1909.46Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'CompliantTrue
1909.47Ensure 'Maximum configurable password age' is set to '365 days'Registry value not found.False
1909.48Ensure 'Minimum password length' is set to '14 characters'Registry key not found.False
1909.49Ensure 'Password must meet complexity requirements' is set to 'Enabled'Registry key not found.False
1909.50Ensure 'Standard User Lockout Duration' is set to '0'Registry value not found.False
1909.51Ensure 'Standard User Individual Lockout Threshold' is set to '5'Registry value not found.False
1909.52Ensure 'Enable insecure guest logons' is set to 'Disabled'CompliantTrue
1909.53Ensure 'Turn off Microsoft Defender Antivirus' is set to 'Disabled'CompliantTrue
1909.54Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'CompliantTrue
1909.55Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'Registry value not found.False
1909.56.2Ensure 'Join Microsoft MAPS' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.57Ensure 'Send file samples when further analysis is required' is set to 'Enabled'Registry value is '2'. Expected: 1False
1909.58Ensure 'Configure extended cloud check' is set to 'Enabled' and set to '50'Registry value not found.False
1909.59Ensure 'Select cloud protection level' is set to 'Enabled'Registry value not found.False
1909.60Ensure 'Configure removal of items from Quarantine folder' is set to 'Disabled'Registry key not found.False
1909.61Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'Registry key not found.False
1909.63Ensure 'Turn on behavior monitoring' is set to 'Enabled'CompliantTrue
1909.64Ensure 'Turn on process scanning whenever real-time protection is enabled' is set to 'Enabled'Registry key not found.False
1909.65Ensure 'Allow users to pause scan' is set to 'Disabled'Registry key not found.False
1909.66Ensure 'Check for the latest virus and spyware definitions before running a scheduled scan' is set to 'Enabled'Registry key not found.False
1909.67Ensure 'Scan archive files' is set to 'Enabled'Registry value not found.False
1909.68Ensure 'Scan packed executables' is set to 'Enabled'Registry key not found.False
1909.69Ensure 'Scan removable drives' is set to 'Enabled'CompliantTrue
1909.70Ensure 'Turn on e-mail scanning' is set to 'Enabled'CompliantTrue
1909.71Ensure 'Turn on heuristics' is set to 'Enabled'Registry key not found.False
1909.72Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'Registry key not found.False
1909.73Ensure 'Hide mechanisms to remove zone information' is set to 'Enabled'Registry key not found.False
1909.74Ensure 'Include command line in process creation events' is set to 'Enabled'CompliantTrue
1909.75Ensure 'Specify the maximum log file size (KB)' is set to '65536'Registry value is '32768'. Expected: 65536False
1909.76Ensure 'Specify the maximum log file size (KB)' is set to '2097152'Registry value is '196608'. Expected: 2097152False
1909.77Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
1909.78Ensure 'Set the default behavior for AutoRun' is set to 'Enabled'CompliantTrue
1909.79Ensure 'Turn off Autoplay' is set to 'Enabled'CompliantTrue
1909.80Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.81Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'CompliantTrue
1909.82Ensure 'Route all traffic through the internal network' is set to 'Enabled'Registry key not found.False
1909.83Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'CompliantTrue
1909.84Ensure 'Remove CD Burning features' is set to 'Enabled'Registry key not found.False
1909.85Ensure 'Prevent access to the command prompt' is set to 'Enabled'Registry key not found.False
1909.86.1Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.2Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.3Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.86.4Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'Registry value not found.False
1909.87.1Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.87.2Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'Registry value not found.False
1909.87.3Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'CompliantTrue
1909.88Ensure 'All Removable Storage classes: Deny all access' is set to 'Enabled'Registry key not found.False
1909.89Ensure 'CD and DVD: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.90Ensure 'CD and DVD: Deny write access' is set to 'Enabled'Registry key not found.False
1909.91Ensure 'Custom Classes: Deny read access' is set to 'Disabled'Registry key not found.False
1909.92Ensure 'Custom Classes: Deny write access' is set to 'Enabled'Registry key not found.False
1909.93Ensure 'Floppy Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.94Ensure 'Floppy Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.95Ensure 'Floppy Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.96Ensure 'Removable Disks: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.97Ensure 'Removable Disks: Deny read access' is set to 'Disabled'Registry key not found.False
1909.98Ensure 'Removable Disks: Deny write access' is set to 'Enabled'Registry key not found.False
1909.99Ensure 'Tape Drives: Deny execute access' is set to 'Enabled'Registry key not found.False
1909.100Ensure 'Tape Drives: Deny read access' is set to 'Disabled'Registry key not found.False
1909.101Ensure 'Tape Drives: Deny write access' is set to 'Enabled'Registry key not found.False
1909.102Ensure 'WPD Devices: Deny read access' is set to 'Disabled'Registry key not found.False
1909.103Ensure 'WPD Devices: Deny write access' is set to 'Enabled'Registry key not found.False
1909.104Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'CompliantTrue
1909.105Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'Registry key not found.False
1909.106.1Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.106.2Ensure 'Hardened UNC Paths' is set to 'Enabled'Registry value not found.False
1909.107Ensure 'Configure registry policy processing' is set to 'Enabled'Registry key not found.False
1909.108Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'CompliantTrue
1909.109Ensure 'Turn off Local Group Policy Objects processing' is set to 'Enabled'Registry value not found.False
1909.110.1Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.2Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.110.3Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled'Registry value not found.False
1909.111Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'CompliantTrue
1909.112.1Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.2Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.3Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.4Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.112.5Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'CompliantTrue
1909.112.6Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.1Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.113.2Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.3Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.113.4Ensure 'Configure use of passwords for fixed data drives' is set to 'Enabled'Registry value not found.False
1909.114Ensure 'Deny write access to fixed drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.115Ensure 'Enforce drive encryption type on fixed data drives' is set to 'Enabled' and 'Full encryption'Registry value not found.False
1909.116Ensure 'Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.' is set to 'Disabled'Registry value not found.False
1909.117Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'CompliantTrue
1909.118Ensure 'Allow network unlock at startup' is set to 'Enabled'Registry value not found.False
1909.119Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'CompliantTrue
1909.120.1Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.2Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.120.3Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.4Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.5Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.120.6Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'CompliantTrue
1909.121Ensure 'Configure minimum PIN length for startup' is set to 'Enabled'Registry value not found.False
1909.122.1Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.122.2Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.122.3Ensure 'Configure use of passwords for operating system drives' is set to 'Enabled'Registry value not found.False
1909.123Ensure 'Disallow standard users from changing the PIN or password' is set to 'Disabled'Registry value not found.False
1909.124Ensure 'Enforce drive encryption type on operating system drives' is set to 'Enabled'Registry value not found.False
1909.125.1Ensure 'Require additional authentication at startup' is set to 'Enabled'CompliantTrue
1909.125.2Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.125.3Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.4Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.5Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.125.6Ensure 'Require additional authentication at startup' is set to 'Enabled'Registry value not found.False
1909.126Ensure 'Reset platform validation data after BitLocker recovery' is set to 'Enabled'Registry value not found.False
1909.127.1Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.2Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.3Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value not found.False
1909.127.4Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 2False
1909.127.5Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.6Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.127.7Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'CompliantTrue
1909.127.8Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.128.1Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.2Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.3Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.128.4Ensure 'Configure use of passwords for removable data drives' is set to 'Enabled'Registry value not found.False
1909.129.1Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.129.2Ensure 'Control use of BitLocker on removable drives' is set to 'Enabled'Registry value not found.False
1909.130Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'Registry value not found.False
1909.131Ensure 'Enforce drive encryption type on removable data drives' is set to 'Enabled'Registry value not found.False
1909.132.1Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.132.2Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'CompliantTrue
1909.133Ensure 'Allow user control over installs' is set to 'Disabled'CompliantTrue
1909.135Ensure 'Always install with elevated privileges' is set to 'Disabled'CompliantTrue
1909.136Ensure 'Do not process the legacy run list' is set to 'Enabled'Registry value not found.False
1909.137Ensure 'Do not process the run once list' is set to 'Enabled'Registry value not found.False
1909.138Ensure 'Run these programs at user logon' is set to 'Disabled'Registry key not found.False
1909.139Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'CompliantTrue
1909.140Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
1909.141Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.142Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled'CompliantTrue
1909.143Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'CompliantTrue
1909.144Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'CompliantTrue
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'Registry value not found.False
1909.145Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'Registry key not found.False
1909.146Ensure 'Require a Password When a Computer Wakes (On Battery)' is set to 'Enabled'Registry key not found.False
1909.147Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'Registry key not found.False
1909.148Ensure 'Specify the system hibernate timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.149Ensure 'Specify the system hibernate timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.150Ensure 'Specify the system sleep timeout (on battery)' is set to 'Enabled'Registry key not found.False
1909.151Ensure 'Specify the system sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.152Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled'Registry key not found.False
1909.153Ensure 'Specify the unattended sleep timeout (plugged in)' is set to 'Enabled' and '0 seconds'Registry key not found.False
1909.154Ensure 'Turn off hybrid sleep (on battery)' is set to 'Enabled'Registry key not found.False
1909.155Ensure 'Turn off hybrid sleep (plugged in)' is set to 'Enabled'Registry key not found.False
1909.156Ensure 'Show hibernate in the power options menu' is set to 'Disabled'Registry value not found.False
1909.157Ensure 'Show sleep in the power options menu' is set to 'Disabled'Registry value not found.False
1909.158Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'CompliantTrue
1909.159.1Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.159.2Ensure 'Turn on Script Execution' is set to 'Enabled'Registry value not found.False
1909.160Ensure 'Prevent access to registry editing tools' is set to 'Enabled'Registry key not found.False
1909.161Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'CompliantTrue
1909.162Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'CompliantTrue
1909.163Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'CompliantTrue
1909.164Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'CompliantTrue
1909.165Ensure 'Configure server authentication for client' is set to 'Enabled'Registry value not found.False
1909.166Ensure 'Do not allow passwords to be saved' is set to 'Enabled'CompliantTrue
1909.168Ensure 'Deny logoff of an administrator logged in to the console session' is set to 'Enabled'Registry value not found.False
1909.169Ensure 'Do not allow Clipboard redirection' is set to 'Enabled'Registry value not found.False
1909.170Ensure 'Do not allow drive redirection' is set to 'Enabled'CompliantTrue
1909.171Ensure 'Always prompt for password upon connection' is set to 'Enabled'CompliantTrue
1909.172Ensure 'Do not allow local administrators to customize permissions' is set to 'Enabled'Registry value not found.False
1909.173Ensure 'Require secure RPC communication' is set to 'Enabled'CompliantTrue
1909.174Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled'CompliantTrue
1909.175Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'CompliantTrue
1909.176Ensure 'Set client connection encryption level' is set to 'Enabled'CompliantTrue
1909.177Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled'CompliantTrue
1909.178Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'CompliantTrue
1909.179Ensure 'Turn off Inventory Collector' is set to 'Enabled'Registry key not found.False
1909.180Ensure 'Turn off Steps Recorder' is set to 'Enabled'Registry key not found.False
1909.181Ensure 'Allow Telemetry' is set to 'Enabled'CompliantTrue
1909.182.1Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.2Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.182.3Ensure 'Configure Corporate Windows Error Reporting' is set to 'Enabled'Registry value not found.False
1909.183Ensure 'Turn off multicast name resolution' is set to 'Enabled'CompliantTrue
1909.184Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'CompliantTrue
1909.185Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'CompliantTrue
1909.186Ensure 'Turn off heap termination on corruption' is set to 'Disabled'CompliantTrue
1909.187Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'CompliantTrue
1909.188Ensure 'Prevent downloading of enclosures' is set to 'Enabled'CompliantTrue
1909.189Ensure 'Allow indexing of encrypted files' is set to 'Disabled'CompliantTrue
1909.190Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'CompliantTrue
1909.191Ensure 'Configure SMB v1 client driver' is set to 'Enabled'CompliantTrue
1909.192Ensure 'Configure SMB v1 server' is set to 'Disabled'CompliantTrue
1909.193Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'CompliantTrue
1909.194Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'CompliantTrue
1909.195Ensure 'Allow users to select when a password is required when resuming from connected standby' is set to 'Disabled'Registry value not found.False
1909.196Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'CompliantTrue
1909.197Ensure 'Show lock in the user tile menu' is set to 'Enabled'Registry value not found.False
1909.198Ensure 'Allow Windows Ink Workspace' is set to 'Enabled'Registry value is '0'. Expected: 1False
1909.199Ensure 'Enable screen saver' is set to 'Enabled'Registry key not found.False
1909.199Ensure 'Password protect the screen saver' is set to 'Enabled'Registry key not found.False
1909.200Ensure 'Screen saver timeout' is set to 'Enabled'Registry key not found.False
1909.201Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'Registry key not found.False
1909.202Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'Registry value not found.False
1909.203Ensure 'Do not allow Sound Recorder to run' is set to 'Enabled'Registry key not found.False
1909.204Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.205Ensure 'Disallow Digest authentication' is set to 'Enabled'CompliantTrue
1909.206Ensure 'Allow Basic authentication' is set to 'Disabled'CompliantTrue
1909.207Ensure 'Allow unencrypted traffic' is set to 'Disabled'CompliantTrue
1909.208Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'CompliantTrue
1909.209Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry value is '1'. Expected: 0False
1909.210Ensure 'Allow Cortana' is set to 'Disabled'CompliantTrue
1909.211Ensure 'Don't search the web or display web results in Search' is set to 'Enabled'Registry value not found.False
1909.212Ensure 'Windows To Go Default Startup Options' is set to 'Disabled'Registry key not found.False
1909.213Ensure 'Remove Security tab' is set to 'Enabled'Registry key not found.False
1909.214Ensure 'Turn off location scripting' is set to 'Enabled'Registry value not found.False
1909.215Ensure 'Turn off location' is set to 'Enabled'Registry key not found.False
1909.216Ensure 'Turn off Windows Location Provider' is set to 'Enabled'Registry value not found.False
1909.217Ensure 'Turn off access to the Store' is set to 'Enabled'CompliantTrue
1909.218Ensure 'Turn off the Store application' is set to 'Enabled'CompliantTrue
1909.219Ensure 'Determine if interactive users can generate Resultant Set of Policy data' is set to 'Enabled'Registry value not found.False
1909.220Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'CompliantTrue
1909.222Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'CompliantTrue
1909.223Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'CompliantTrue
1909.224(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'CompliantTrue
1909.225(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
1909.226(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
1909.227Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
1909.228Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
1909.229Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
1909.230Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
1909.231Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'CompliantTrue
1909.233Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
1909.234Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'CompliantTrue
1909.235Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'CompliantTrue
1909.236Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
1909.237Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
1909.238Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'CompliantTrue
1909.239Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'CompliantTrue
1909.240Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'CompliantTrue
1909.243Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 65536 or less'CompliantTrue
1909.260Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
1909.262Ensure 'CD and DVD: Deny read access' is set to 'Disabled'Registry key not found.False
1909.263Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'CompliantTrue
1909.264Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
1909.265Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'CompliantTrue
1909.266Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'CompliantTrue
1909.267Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'CompliantTrue
1909.268Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.269Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'CompliantTrue
1909.270Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
1909.275Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
1909.276Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.277Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
1909.278Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
1909.279Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
1909.280Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
1909.281Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'CompliantTrue
1909.282Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
1909.283Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
1909.284Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
1909.285Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
1909.288Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
1909.289Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
1909.290Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
1909.291Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'CompliantTrue
1909.292Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'CompliantTrue
1909.293Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'CompliantTrue
1909.296Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherCompliantTrue
1909.314Ensure 'Allow download restrictions' is set to 'Enabled'Registry value is '1'. Expected: 2False
1909.315Ensure 'Configure Do Not Track' is set to 'Enabled'Registry value not found.False
1909.316Ensure 'Control the mode of DNS-over-HTTPS' is set to 'Enabled'Registry value not found.False
1909.317Ensure 'Control where Developer Tools can be used' is set to 'Enabled'Registry value not found.False
1909.318Ensure 'DNS interception checks enabled' is set to 'Disabled'Registry value not found.False
1909.319Ensure 'Default pop-up window setting' is set to 'Enabled'Registry value not found.False
1909.320Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'Registry value not found.False
1909.321Ensure 'Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads' is set to 'Enabled'CompliantTrue
1909.322Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled'CompliantTrue
1909.323Ensure 'Use the Enterprise Mode IE website list' is set to 'Enabled'Registry key not found.False
1909.324Ensure 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.' is set to 'Enabled'Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
1909.241Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
1909.242Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'The user 'SeDenyNetworkLogonRight' setting does not contain the following users: LOCALFalse
1909.244Ensure 'Manage auditing and security log' is set to 'Administrators'CompliantTrue
1909.271Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'CompliantTrue
1909.273(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop Users'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse
1909.274Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'CompliantTrue
1909.294Ensure 'Back up files and directories' is set to 'Administrators'CompliantTrue
1909.295Ensure 'Restore files and directories' is set to 'Administrators'CompliantTrue
1909.297Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
1909.298Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
1909.299Ensure 'Allow log on locally' is set to 'Administrators, Users'CompliantTrue
1909.300Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
1909.301Ensure 'Create a token object' is set to 'No One'CompliantTrue
1909.302Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.303Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
1909.304Ensure 'Debug programs' is set to 'Administrators'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
1909.305Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'CompliantTrue
1909.306Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
1909.307Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
1909.308Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
1909.309Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
1909.310Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
1909.311Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
1909.312Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
1909.313Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1909.232Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
1909.245Ensure 'Audit Computer Account Management' is set to 'Success and Failure'Set to: No AuditingFalse
1909.246Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
1909.247Ensure 'Audit Security Group Management' is set to 'Success and Failure'Set to: SuccessFalse
1909.248Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
1909.249Ensure 'Audit Process Creation' is set to 'Success'CompliantTrue
1909.250Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
1909.251Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
1909.252Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
1909.253Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
1909.254Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
1909.255Ensure 'Audit Special Logon' is set to include 'Success and Failure'Set to: SuccessFalse
1909.256Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
1909.257Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
1909.258Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
1909.259Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue

Microsoft Benchmarks-

This section contains the Microsoft Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-001Set registry value 'PUAProtection' to 1.CompliantTrue
Registry-002Set registry value 'MpCloudBlockLevel' to 2.Registry value not found.False
Registry-003Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.CompliantTrue
Registry-004Ensure 'Turn off real-time protection' is set to 'Disabled'.CompliantTrue
Registry-005Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
Registry-006Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry value is '2'. Expected: 1False
Registry-007Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry value is '0'. Expected: 2False
Registry-008Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry value not found.False
Registry-009Set registry value 'ExploitGuard_ASR_Rules' to 1.CompliantTrue
Registry-010Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
Registry-011Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
Registry-012Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
Registry-013Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
Registry-014Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
Registry-015Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
Registry-016Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
Registry-017Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
Registry-018Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
Registry-019Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
Registry-020Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
Registry-021Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)Registry value is '0'. Expected: 1False
Registry-022Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)CompliantTrue
Registry-023Set registry value 'EnableNetworkProtection' to 1.CompliantTrue
Registry-024Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.CompliantTrue
Registry-025Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.CompliantTrue
Registry-026Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-027Set registry value 'HVCIMATRequired' to 1.CompliantTrue
Registry-028Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.CompliantTrue
Registry-029Set registry value 'ConfigureSystemGuardLaunch' to 1.CompliantTrue
Registry-031Set registry value 'UseEnhancedPin' to 1.CompliantTrue
Registry-032Set registry value 'RDVDenyCrossOrg' to 0.CompliantTrue
Registry-033Set registry value 'DisableExternalDMAUnderLock' to 1.CompliantTrue
Registry-034Set registry value 'DCSettingIndex' to 0.CompliantTrue
Registry-035Set registry value 'ACSettingIndex' to 0.CompliantTrue
Registry-036Set registry value 'DenyDeviceClasses' to 1.CompliantTrue
Registry-037Set registry value 'DenyDeviceClassesRetroactive' to 1.CompliantTrue
Registry-038Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}.CompliantTrue
Registry-039Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'.CompliantTrue
Registry-040Set registry value 'AutoConnectAllowedOEM' to 0.CompliantTrue
Registry-041Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
Registry-042Ensure 'Turn off Autoplay' is set to 'All drives'.CompliantTrue
Registry-043Set registry value 'NoWebServices' to 1.CompliantTrue
Registry-044Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.CompliantTrue
Registry-045Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
Registry-046Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.CompliantTrue
Registry-047Set registry value 'LocalAccountTokenFilterPolicy' to 0.CompliantTrue
Registry-048Set registry value 'AllowEncryptionOracle' to 0.CompliantTrue
Registry-049Set registry value 'EnhancedAntiSpoofing' to 1.CompliantTrue
Registry-050Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
Registry-051Set registry value 'PreventCertErrorOverrides' to 1.CompliantTrue
Registry-052Set registry value 'FormSuggest Passwords' to no.CompliantTrue
Registry-053Set registry value 'EnabledV9' to 1.CompliantTrue
Registry-054Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-055Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-056Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'.CompliantTrue
Registry-057Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
Registry-058Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2.CompliantTrue
Registry-059Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
Registry-060Set registry value 'AllowProtectedCreds' to 1.CompliantTrue
Registry-061Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-062Ensure 'Specify the maximum log file size (KB)' is set to '196608'.CompliantTrue
Registry-063Ensure 'Specify the maximum log file size (KB)' is set to '32768'.CompliantTrue
Registry-064Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
Registry-065Set registry value 'AllowGameDVR' to 0.CompliantTrue
Registry-066Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-067Ensure 'Configure registry policy processing' is set to '0'.CompliantTrue
Registry-068Set registry value 'AlwaysInstallElevated' to 0.CompliantTrue
Registry-069Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
Registry-070Set registry value 'DeviceEnumerationPolicy' to 0.CompliantTrue
Registry-071Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
Registry-072Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
Registry-073Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-074Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1.CompliantTrue
Registry-075Set registry value 'NoLockScreenCamera' to 1.CompliantTrue
Registry-076Set registry value 'NoLockScreenSlideshow' to 1.CompliantTrue
Registry-077Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging)CompliantTrue
Registry-078Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging)Registry value not found.False
Registry-079Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
Registry-080Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
Registry-081Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.CompliantTrue
Registry-082Set registry value 'ShellSmartScreenLevel' to Block.CompliantTrue
Registry-083Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'.CompliantTrue
Registry-084Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.CompliantTrue
Registry-085Ensure 'Disallow Digest authentication' is set to 'Enabled'.CompliantTrue
Registry-086Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-087Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-088Ensure 'Allow unencrypted traffic' is set to 'Disabled'.CompliantTrue
Registry-089Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
Registry-090Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
Registry-091Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
Registry-092Set registry value 'DisableWebPnPDownload' to 1.CompliantTrue
Registry-093Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.CompliantTrue
Registry-094Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI'Compliant. Registry value not found.True
Registry-095Configure Solicited Remote Assistance to disabled.CompliantTrue
Registry-096Configure Solicited Remote Assistance - Allow helpers to only view the computer.Compliant. Registry value not found.True
Registry-097Set registry value 'MaxTicketExpiry' to .Compliant. Registry value not found.True
Registry-098Set registry value 'MaxTicketExpiryUnits' to .Compliant. Registry value not found.True
Registry-099Set registry value 'MinEncryptionLevel' to 3.CompliantTrue
Registry-100Set registry value 'fPromptForPassword' to 1.CompliantTrue
Registry-101Set registry value 'fDisableCdm' to 1.CompliantTrue
Registry-102Set registry value 'DisablePasswordSaving' to 1.CompliantTrue
Registry-103Set registry value 'fEncryptRPCTraffic' to 1.CompliantTrue
Registry-104Set registry value 'PolicyVersion' to 538.Registry value not found.False
Registry-105Domain: Set registry value 'DefaultOutboundAction' to 0.CompliantTrue
Registry-106Domain: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-107Domain: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-108Domain: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-109Domain: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-110Domain: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-111Domain: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-112Private: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-113Private: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-114Private: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-115Private: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-116Private: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-117Private: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-118Private: Set registry value 'LogFileSize' to 16384.CompliantTrue
Registry-119Public: Set registry value 'DefaultOutboundAction' to 0.Registry value is '0'. Expected: 1False
Registry-120Public: Set registry value 'EnableFirewall' to 1.CompliantTrue
Registry-121Public: Set registry value 'DisableNotifications' to 1.CompliantTrue
Registry-122Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0.CompliantTrue
Registry-123Public: Set registry value 'AllowLocalPolicyMerge' to 0.CompliantTrue
Registry-124Public: Set registry value 'DefaultInboundAction' to 1.CompliantTrue
Registry-125Public: Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-126Public: Set registry value 'LogDroppedPackets' to 1.CompliantTrue
Registry-127Public: Set registry value 'LogSuccessfulConnections' to 1.CompliantTrue
Registry-128Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry value is '0'. Expected: 1False
Registry-129Set registry value 'AdmPwdEnabled' to 1.CompliantTrue
Registry-130Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.CompliantTrue
Registry-131Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
Registry-132Set registry value 'DriverLoadPolicy' to 3.CompliantTrue
Registry-133Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
Registry-134Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.CompliantTrue
Registry-135Set registry value 'NoNameReleaseOnDemand' to 1.CompliantTrue
Registry-136Set registry value 'NodeType' to 2.CompliantTrue
Registry-137Set registry value 'EnableICMPRedirect' to 0.CompliantTrue
Registry-138Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-139Set registry value 'DisableIPSourceRouting' to 2.CompliantTrue
Registry-140Set registry value 'ScRemoveOption' to 1.CompliantTrue
Registry-141Set registry value 'InactivityTimeoutSecs' to 900.CompliantTrue
Registry-142Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-143Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-144Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-145Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-146Set registry value 'RestrictAnonymous' to 1.CompliantTrue
Registry-147Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-148Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.CompliantTrue
Registry-149Set registry value 'NTLMMinClientSec' to 537395200.CompliantTrue
Registry-150Set registry value 'LmCompatibilityLevel' to 5.CompliantTrue
Registry-151Set registry value 'allownullsessionfallback' to 0.CompliantTrue
Registry-152Set registry value 'NTLMMinServerSec' to 537395200.CompliantTrue
Registry-153Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-154Set registry value 'RequireSecuritySignature' to 1.CompliantTrue
Registry-155Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-156Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-157Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-158Set registry value 'requiresecuritysignature' to 1.CompliantTrue
Registry-159Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-160Set registry value 'ConsentPromptBehaviorAdmin' to 2.CompliantTrue
Registry-161Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-162Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-163Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-164Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-165Set registry value 'FilterAdministratorToken' to 1.CompliantTrue
Registry-166Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-167Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-168Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA).CompliantTrue
Registry-223Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
Registry-224Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1.Registry key not found.False
Registry-225Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-226Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-227Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-228Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-229Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-230Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.CompliantTrue
Registry-231Set registry value 'CheckExeSignatures' to yes.CompliantTrue
Registry-232Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.CompliantTrue
Registry-233Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.CompliantTrue
Registry-234Set registry value 'Isolation' to PMEM.CompliantTrue
Registry-235Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-236Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-237Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-238Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-239Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-240Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-241Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-242Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-243Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-244Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-245Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-246Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-247Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-248Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-249Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-250Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-251Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-252Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-253Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-254Set registry value '(Reserved)' to 1.CompliantTrue
Registry-255Set registry value 'explorer.exe' to 1.Registry value not found.False
Registry-256Set registry value '(Reserved)' to 1.Registry value not found.False
Registry-257Set registry value 'explorer.exe' to 1.CompliantTrue
Registry-258Set registry value 'iexplore.exe' to 1.Registry value not found.False
Registry-259Set registry value 'PreventOverrideAppRepUnknown' to 1.CompliantTrue
Registry-260Set registry value 'PreventOverride' to 1.CompliantTrue
Registry-261Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry value not found.False
Registry-262Set registry value 'NoCrashDetection' to 1.CompliantTrue
Registry-263Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.CompliantTrue
Registry-264Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-265Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.CompliantTrue
Registry-266Set registry value 'Security_zones_map_edit' to 1.CompliantTrue
Registry-267Set registry value 'Security_options_edit' to 1.CompliantTrue
Registry-268Set registry value 'Security_HKLM_only' to 1.CompliantTrue
Registry-269Ensure 'Check for server certificate revocation' is set to 'Enabled'.CompliantTrue
Registry-270Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.CompliantTrue
Registry-271Set registry value 'WarnOnBadCertRecving' to 1.CompliantTrue
Registry-272Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-273Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.CompliantTrue
Registry-274Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-275Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-276Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-277Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-278Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-279Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-280Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.CompliantTrue
Registry-281Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-282Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-283Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-284Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-285Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-286Ensure 'Java permissions' is set to 'High safety'.CompliantTrue
Registry-287Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-288Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-289Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-290Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-291Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-292Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-293Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-294Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-295Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-296Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-297Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-298Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-299Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-300Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-301Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-302Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-303Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-304Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-305Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-306Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-307Ensure 'Logon options' is set to 'Prompt for user name and password'.CompliantTrue
Registry-308Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-309Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-310Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-311Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-312Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-313Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-314Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-315Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-316Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-317Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry value not found.False
Registry-318Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry value is '3'. Expected: 1False
Registry-319Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-320Set registry value '140C' to 3. (Zones\3)Registry value not found.False
Registry-321Ensure 'Allow META REFRESH' is set to 'Disable'.CompliantTrue
Registry-322Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.CompliantTrue
Registry-323Ensure 'Download signed ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-324Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.CompliantTrue
Registry-325Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.CompliantTrue
Registry-326Ensure 'Use Pop-up Blocker' is set to 'Enable'.CompliantTrue
Registry-327Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-328Ensure 'Userdata persistence' is set to 'Disable'.CompliantTrue
Registry-329Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.CompliantTrue
Registry-330Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.CompliantTrue
Registry-331Ensure 'Access data sources across domains' is set to 'Disable'.CompliantTrue
Registry-332Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.CompliantTrue
Registry-333Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-334Ensure 'Automatic prompting for file downloads' is set to 'Disable'.CompliantTrue
Registry-335Ensure 'Allow binary and script behaviors' is set to 'Disable'.CompliantTrue
Registry-336Ensure 'Scripting of Java applets' is set to 'Disable'.CompliantTrue
Registry-337Ensure 'Allow file downloads' is set to 'Disable'.CompliantTrue
Registry-338Ensure 'Allow loading of XAML files' is set to 'Disable'.CompliantTrue
Registry-339Ensure 'Allow active scripting' is set to 'Disable'.CompliantTrue
Registry-340Ensure 'Logon options' is set to 'Anonymous logon'.CompliantTrue
Registry-341Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.CompliantTrue
Registry-342Ensure 'Turn on Protected Mode' is set to 'Enable'.CompliantTrue
Registry-343Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.CompliantTrue
Registry-344Ensure 'Java permissions' is set to 'Disable Java'.CompliantTrue
Registry-345Ensure 'Allow scriptlets' is set to 'Disable'.CompliantTrue
Registry-346Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.CompliantTrue
Registry-347Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.CompliantTrue
Registry-348Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.CompliantTrue
Registry-349Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.CompliantTrue
Registry-350Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry value is '0'. Expected: 3False
Registry-351Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.CompliantTrue
Registry-352Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.CompliantTrue
Registry-353Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.CompliantTrue
Registry-354Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.CompliantTrue
Registry-355Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.CompliantTrue
Registry-356Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.CompliantTrue
Registry-357Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry value is '1'. Expected: 3False
Registry-358Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry value not found.False
Registry-359Set registry value '140C' to 3. (Zones\4)Registry value not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-170Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-171Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-172Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-173Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-174Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-175Ensure 'SeCreatePermanentPrivilege' is set to ''CompliantTrue
UserRight-176Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-177Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-178Ensure 'SeLockMemoryPrivilege' is set to ''CompliantTrue
UserRight-179Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113'CompliantTrue
UserRight-180Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
UserRight-181Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-182Ensure 'SeCreateTokenPrivilege' is set to ''CompliantTrue
UserRight-183Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20'CompliantTrue
UserRight-184Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-185Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-186Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545'CompliantTrue
UserRight-187Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-188Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
UserRight-189Ensure 'SeTrustedCredManAccessPrivilege' is set to ''CompliantTrue
UserRight-190Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-191Ensure 'SeTcbPrivilege' is set to ''CompliantTrue
UserRight-192Ensure 'SeEnableDelegationPrivilege' is set to ''CompliantTrue

Account Policies-

IdTaskMessageStatus
AccountPolicy-216Ensure 'MinimumPasswordLength' is set to '14'.CompliantTrue
AccountPolicy-217Ensure 'PasswordComplexity' is set to '1'.CompliantTrue
AccountPolicy-218Ensure 'PasswordHistorySize' is set to '24'.CompliantTrue
AccountPolicy-219Ensure 'LockoutBadCount' is set to '10'.CompliantTrue
AccountPolicy-220Ensure 'ResetLockoutCount' is set to '15'.CompliantTrue
AccountPolicy-221Ensure 'LockoutDuration' is set to '15'.CompliantTrue
AccountPolicy-222Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-193Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-194Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-195Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-196Ensure 'Plug and Play Events' is set to 'Success'.CompliantTrue
AuditPolicy-197Ensure 'Process Creation' is set to 'Success'.CompliantTrue
AuditPolicy-198Ensure 'Account Lockout' is set to 'Failure'.CompliantTrue
AuditPolicy-199Ensure 'Group Membership' is set to 'Success'.CompliantTrue
AuditPolicy-200Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-201Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-202Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-203Ensure 'Detailed File Share' is set to 'Failure'.CompliantTrue
AuditPolicy-204Ensure 'File Share' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-205Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-206Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-207Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-208Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-209Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-210Ensure 'Other Policy Change Events' is set to 'Failure'.CompliantTrue
AuditPolicy-211Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-212Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-213Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-214Ensure 'Security System Extension' is set to 'Success'.CompliantTrue
AuditPolicy-215Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'Registry value is '1'. Expected: 0False
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. CompliantTrue
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. + +CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'. [Hyper-V-Feature NOT installed]The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.CompliantTrue
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. + +CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. +The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. + +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or +more minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '0'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.CompliantTrue
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. CompliantTrue
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .Registry value is '0'. Expected: 1False
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.Registry value is '0'. Expected: 1False
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.CompliantTrue
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.CompliantTrue
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. CompliantTrue
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.CompliantTrue
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. CompliantTrue
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue

BSI Benchmarks SiSyPHus-BSI-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
3.1.1 AConfiguration of the lowest possible telemetry-level (Enterprise Windows 10)CompliantTrue
3.1.1 BConfiguration of the lowest possible telemetry-level (Non-Enterprise Windows 10)Registry value is '0'. Expected: 1False
3.1.2.1Deactivation of the telemetry service and ETW-sessions - disable service DiagTrackCompliantTrue
3.1.2.2Deactivation of the telemetry service and ETW-sessions - disable service Autologger-Diatrack-ListenerCompliantTrue
3.1.3.1.1Deactivation of telemetry according to Microsoft - Disable Windows Update ServiceRegistry value is '3'. Expected: 4False
3.1.3.1.2Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: disable MAPSCompliantTrue
3.1.3.1.3Deactivation of telemetry according to Microsoft - Cloud-Based-Protection: never send sample filesCompliantTrue

BSI Benchmarks SiSyPHus-BSI Bundespolizei-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.CompliantTrue
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
0121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.CompliantTrue
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.CompliantTrue
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.CompliantTrue
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.CompliantTrue
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.CompliantTrue
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.Registry key not found.False
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.Registry value is '0'. Expected: 1False
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
0342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.CompliantTrue
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '10'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.CompliantTrue
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
0047 Ensure 'Adjust memory quotas for a process' set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'CompliantTrue
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'CompliantTrue
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'CompliantTrue
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SIDFalse
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'CompliantTrue
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'CompliantTrue
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'CompliantTrue
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SIDFalse
0182 Ensure 'Log on as a batch job' is set to 'Administrator'CompliantTrue
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines +The user 'SeServiceLogonRight' setting does not contain the following users: NULL SIDFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'CompliantTrue
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 120. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package.

Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
  • DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
  • CYBERGOVAU Hardening Microsoft Windows 10 version 21H1 Workstations, Version: 10.2020, Date 2020-10-01
  • Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 12/07/2022 10:37:18 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 2682 tests have been executed.

  1. True 2157 test(s) ≙ 80.43%
  2. False 521 test(s) ≙ 19.43%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 4 test(s) ≙ 0.15%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 512 tests have been executed in section CIS Benchmarks.

  1. True 478 test(s) ≙ 93.36%
  2. False 33 test(s) ≙ 6.45%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.20%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 161 tests have been executed in section DISA Recommendations.

  1. True 133 test(s) ≙ 82.61%
  2. False 25 test(s) ≙ 15.53%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 3 test(s) ≙ 1.86%
  5. Error 0 test(s) ≙ 0.00%

CyberGovAu Benchmarks

A total of 381 tests have been executed in section CyberGovAu Benchmarks.

  1. True 196 test(s) ≙ 51.44%
  2. False 185 test(s) ≙ 48.56%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 357 tests have been executed in section Microsoft Benchmarks.

  1. True 306 test(s) ≙ 85.71%
  2. False 51 test(s) ≙ 14.29%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 48 test(s) ≙ 94.12%
  2. False 3 test(s) ≙ 5.88%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 327 test(s) ≙ 85.16%
  2. False 57 test(s) ≙ 14.84%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 252 test(s) ≙ 86.30%
  2. False 40 test(s) ≙ 13.70%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 223 test(s) ≙ 85.11%
  2. False 39 test(s) ≙ 14.89%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI

A total of 7 tests have been executed in section BSI Benchmarks SiSyPHus-BSI.

  1. True 5 test(s) ≙ 71.43%
  2. False 2 test(s) ≙ 28.57%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHus-BSI Bundespolizei

A total of 275 tests have been executed in section BSI Benchmarks SiSyPHus-BSI Bundespolizei.

  1. True 189 test(s) ≙ 68.73%
  2. False 86 test(s) ≙ 31.27%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Security Base Data

System information

HostnameDESKTOP-UTMU75K.fb-pro.com
Domain roleMember Workstation
Operating SystemMicrosoft Windows 10 Pro
Build NumberVersion 21H2 (Build 19044.2251)
Installation LanguageEnglish (United States)
System Uptime0:02:03:14
Free disk space40.4 GB
Free physical memory24.8% (5.1 GB / 20.7 GB)

Table Of Contents

Click the link(s) below for quick access to a report section.

Security Base Data Details

Security Base Data-

Platform Security-

IdTaskMessageStatus
SBD-001Ensure the system is booting in 'UEFI' mode.CompliantTrue
SBD-002Ensure the system is using SecureBoot.CompliantTrue
SBD-003Ensure the TPM Chip is 'present'.CompliantTrue
SBD-004Ensure the TPM Chip is 'ready'.CompliantTrue
SBD-005Ensure the TPM Chip is 'enabled'.CompliantTrue
SBD-006Ensure the TPM Chip is 'activated'.CompliantTrue
SBD-007Ensure the TPM Chip is 'owned'.CompliantTrue
SBD-008Ensure the TPM Chip is implementing specification version 2.0 or higher.CompliantTrue

Windows Base Security-

IdTaskMessageStatus
SBD-009Get amount of active local users on system.CompliantTrue
SBD-010Get amount of users and groups in administrators group on system.Amount of entries: 2; + True
SBD-011Ensure the status of the Bitlocker service is 'Running'.CompliantTrue
SBD-012Ensure that Bitlocker is activated on all volumes.Bitlocker is not activated on all volumes.False
SBD-013Ensure the status of the Windows Defender service is 'Running'.CompliantTrue
SBD-014Ensure Windows Defender Application Guard is enabled.Windows Defender Application Guard is not enabled.False
SBD-015Ensure the Windows Firewall is enabled on all profiles.CompliantTrue
SBD-016Check if the last successful search for updates was in the past 24 hours.CompliantTrue
SBD-017Check if the last successful installation of updates was in the past 5 days.CompliantTrue
SBD-018Ensure Virtualization Based Security is enabled and running.CompliantTrue
SBD-019Ensure Hypervisor-protected Code Integrity (HVCI) is running.CompliantTrue
SBD-020Ensure Credential Guard is running.CompliantTrue
SBD-021Ensure Attack Surface Reduction (ASR) rules are enabled.Compliant (12 rules enabled). For more information on ASR rules, check corresponding benchmarks.True

PowerShell Security-

IdTaskMessageStatus
SBD-022Ensure PowerShell Version is set to version 5 or higher.CompliantTrue
SBD-023Ensure PowerShell Version 2 is uninstalled.PowerShell Version 2 is supported.False
SBD-024Ensure PowerShell is set to configured to use Constrained Language.Language Mode is not set to 'Constrained Language'. Current configuration: FullLanguageFalse
SBD-025Ensure Execution policy is set to set to AllSigned / RemoteSigned.CompliantTrue
SBD-026Ensure PowerShell Commandline Audting is set to 'Enabled'.CompliantTrue
SBD-027Ensure PowerShell Module Logging is set to 'Enabled'.PowerShell Module Logging is not set to 'Enabled'.False
SBD-028Ensure PowerShell ScriptBlockLogging is set to 'Enabled'.CompliantTrue
SBD-029Ensure PowerShell ScriptBlockInvocationLogging is set to 'Enabled'.PowerShell ScriptBlockInvocationLogging is not set to 'Enabled'.False
SBD-030Ensure PowerShell Transcripting is set to 'Enabled'.PowerShell Transcripting is not set to 'Enabled'.False
SBD-031Ensure PowerShell InvocationHeader is set to 'Enabled'.PowerShell InvocationHeader is not set to 'Enabled'.False
SBD-032Ensure PowerShell ProtectedEventLogging is set to set to 'Enabled'.PowerShell ProtectedEventLogging is not set to 'Enabled'.False
SBD-033Ensure .NET Framework version supports PowerShell Version 2 is uninstalled.CompliantTrue

Connectivity Security-

IdTaskMessageStatus
SBD-034Ensure system is configured to deny remote access via Terminal Services.CompliantTrue
SBD-035Ensure system is configured to prevent RDP service.CompliantTrue
SBD-036Ensure NTLM Session Server Security settings are configured.CompliantTrue
SBD-037Ensure WinFW Service is running.CompliantTrue
SBD-038Ensure NetBios is set to 'Disabled'.NetBios is 'Enabled'.False
SBD-039Ensure SMBv1 is set to 'Disabled'.CompliantTrue

Application Control-

IdTaskMessageStatus
SBD-040Ensure Windows Defender Application Control (WDAC) is available.Only supported on Windows 10 Enterprise.None
SBD-041Ensure Windows Defender Application ID Service is running.AppLocker is not running. Currently: StoppedFalse

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
More than 80%Low
Between 65% and 80%Medium
Between 50% and 65%High
Less than 50%Critical
Compliance to Benchmarks (Severity)Risk Assessment
All critical settings compliantLow
1 or more incompliant setting(s)Critical

Table Of Severity Rules

-
IdTaskStatusSeverity
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True

Critical

2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)None

Critical

2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None

Critical

2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'True

Critical

2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True

Critical

7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)True

Critical

7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)True

Critical

7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)True

Critical

7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)True

Critical

9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'True

Critical

9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'True

Critical

18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'True

Critical

18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'True

Critical

18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'True

Critical

18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'True

Critical

18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'True

Critical

18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'True

Critical

18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)True

Critical

18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)True

Critical

18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)True

Critical

18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configuredTrue

Critical

18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)True

Critical

18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)True

Critical

18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))True

Critical

18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)True

Critical

18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)True

Critical

18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)True

Critical

18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)True

Critical

18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)True

Critical

18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'True

Critical

18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'True

Critical

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How do we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

Contact us:

FB Pro GmbH

Fon: +49 6727 7559039

Web: https://www.fb-pro.com/

Mail: info@fb-pro.com

Can we help you?

Do you need support with system hardening?

Our team of system hardening experts will be happy to provide you with advice and support.

Contact us for a no-obligation inquiry!

\ No newline at end of file diff --git a/Samples/Microsoft Windows 10 BSI_20220905_134713.html b/Samples/Microsoft Windows 10 BSI_20220905_134713.html new file mode 100644 index 0000000..f1e61b3 --- /dev/null +++ b/Samples/Microsoft Windows 10 BSI_20220905_134713.html @@ -0,0 +1,30 @@ +Windows 10 BSI Report [09/05/2022 13:49:59]

Windows 10 BSI Report

255
1030
1286
80.09
32
5

Settings Overview

Table Of Content

Click the link(s) below for quick access to a report section.

General Benchmarks-

This section contains general benchmarks

Security Base Data-

This section contains basic recommendations for a secure Microsoft Windows configuration.

IdTaskMessageStatus
SBD-001Ensure the system is booting in 'UEFI' mode.CompliantTrue
SBD-002Ensure the system is using SecureBoot.CompliantTrue
SBD-003Ensure the TPM Chip is 'present'.CompliantTrue
SBD-004Ensure the TPM Chip is 'ready'.CompliantTrue
SBD-005Ensure the TPM Chip is 'enabled'.CompliantTrue
SBD-006Ensure the TPM Chip is 'activated'.CompliantTrue
SBD-007Ensure the TPM Chip is 'owned'.CompliantTrue
SBD-008Ensure the TPM Chip is implementing specification version 2.0 or higher.CompliantTrue
SBD-009Get the count of local users on the system.System has 6 or more local users.False
SBD-010Get the count of admin users on the system.System has 6 or more admin users.False
SBD-011Ensure the status of the Bitlocker service is 'Running'.CompliantTrue
SBD-012Ensure that Bitlocker is activated on all volumes.Bitlocker is not activated on all volumes.False
SBD-013Ensure the status of the Windows Defender service is 'Running'.CompliantTrue
SBD-014Ensure the status of the Microsoft Defender for Endpoint service is 'Running'.Service is not 'Running' (More info).False
SBD-015Ensure the Windows Firewall is enabled on all profiles.CompliantTrue
SBD-016Check if the last successful search for updates was in the past 24 hours.CompliantTrue
SBD-017Check if the last successful installation of updates was in the past 5 days.CompliantTrue
SBD-018Ensure Virtualization Based Security is enabled and running.CompliantTrue
SBD-019Ensure Hypervisor-protected Code Integrity (HVCI) is running.CompliantTrue
SBD-020Ensure Credential Guard is running.CompliantTrue
SBD-021Ensure the Attack Surface Reduction (ASR) rules are enabled.11 ASR rules are activated. For more information on the ASR rules, check corresponding benchmarks.Warning
SBD-022Ensure Windows Defender Application Guard is enabled.Windows Defender Application Guard is not enabled.False

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'CompliantTrue
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'CompliantTrue
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.Registry value not found.False
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. CompliantTrue
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. + +CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'.The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. + +The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. +The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. + +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or +more minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.Registry value not found.False
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue
249(ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'.CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.Registry value not found.False
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113) +The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), LOCAL (S-1-2-0)False
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

Security Options-

IdTaskMessageStatus
235(ND, NE) Configure 'Accounts: Rename administrator account'.CompliantTrue
236(ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'.CompliantTrue
237(ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. CompliantTrue
238(ND, NE) Configure 'Accounts: Rename guest account'.CompliantTrue

BSI Benchmarks SiM-08202 - BPOL-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.Registry value is '1'. Expected: 0False
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
82020121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry value is '1'. Expected: 0False
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.Registry value not found.False
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.Registry value not found.False
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.Registry value is '1'. Expected: 0False
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.Registry value is '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. Expected: %windir%\system32\logfiles\firewall\domainfirewall.logFalse
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.CompliantTrue
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.CompliantTrue
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.CompliantTrue
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.CompliantTrue
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.CompliantTrue
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.CompliantTrue
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
82020342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.Registry value is '14'. Expected: x >= 15False
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '10'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.Registry value is '0'. Expected: 1False
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'CompliantTrue
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'CompliantTrue
0047 Ensure ’Adjust memory quotas for a process’ set to ’Administrators, LOCAL SERVICE, NETWORK SERVICE’The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'CompliantTrue
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'CompliantTrue
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'CompliantTrue
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'CompliantTrue
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'CompliantTrue
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'The user right 'SeDenyNetworkLogonRight' contains following unexpected users: LOCAL +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'CompliantTrue
0182 Ensure 'Log on as a batch job' is set to 'Administrator'The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 60. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 09/05/2022 13:50:04 on DESKTOP-UTMU75K.fb-pro.com with ATAPHtmlReport version 1.8.

System information

HostnameDESKTOP-UTMU75K.fb-pro.com
Domain roleMember Workstation
Operating SystemMicrosoft Windows 10 Pro
Build Number19044
Installation LanguageEnglish (United States)
Free disk space (GB)40.2
Free physical memory (GB)3.2% (0.7 GB / 22.8 GB)

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 1286 tests have been executed.

  1. True 1030 test(s) ≙ 80.09%
  2. False 255 test(s) ≙ 19.83%
  3. Warning 1 test(s) ≙ 0.08%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 22 tests have been executed in section General Benchmarks.

  1. True 16 test(s) ≙ 72.73%
  2. False 5 test(s) ≙ 22.73%
  3. Warning 1 test(s) ≙ 4.55%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 51 test(s) ≙ 100.00%
  2. False 0 test(s) ≙ 0.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 318 test(s) ≙ 82.81%
  2. False 66 test(s) ≙ 17.19%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 244 test(s) ≙ 83.56%
  2. False 48 test(s) ≙ 16.44%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 215 test(s) ≙ 82.06%
  2. False 47 test(s) ≙ 17.94%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiM-08202 - BPOL

A total of 275 tests have been executed in section BSI Benchmarks SiM-08202 - BPOL.

  1. True 186 test(s) ≙ 67.64%
  2. False 89 test(s) ≙ 32.36%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
More than 85%Low
Between 70% and 85%Medium
Between 55% and 70%High
Less than 55%Critical
Compliance to Benchmarks (Severity)Risk Assessment
All critical settings compliantLow
1 or more incompliant setting(s)Critical

Severity Compliance

-
IdTaskStatus
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True
2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)True
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'True
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True
7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)True
7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)True
7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)True
7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)True
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'True
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'True
18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'True
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'True
18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'True
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'False
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'False
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'False
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)True
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)True
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)True
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)True
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)True
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)True
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))True
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)True
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)True
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)True
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)True
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)False
18.9.48.11Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'True
18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'True
18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'True

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

diff --git a/Samples/Microsoft Windows Server 2022_20220905_052544.html b/Samples/Microsoft Windows Server 2022_20220905_052544.html new file mode 100644 index 0000000..7250bc4 --- /dev/null +++ b/Samples/Microsoft Windows Server 2022_20220905_052544.html @@ -0,0 +1,18 @@ +Windows Server 2022 Audit Report [09/05/2022 05:26:17]

Windows Server 2022 Audit Report

711
144
857
16.8
33
30

Settings Overview

Table Of Content

Click the link(s) below for quick access to a report section.

General Benchmarks-

This section contains general benchmarks

Security Base Data-

This section contains basic recommendations for a secure Microsoft Windows configuration.

IdTaskMessageStatus
SBD-001Ensure the system is booting in 'UEFI' mode.CompliantTrue
SBD-002Ensure the system is using SecureBoot.CompliantTrue
SBD-003Ensure the TPM Chip is 'present'.The TPM Chip is not 'present'.False
SBD-004Ensure the TPM Chip is 'ready'.The TPM Chip is not 'ready'.False
SBD-005Ensure the TPM Chip is 'enabled'.The TPM Chip is not 'enabled'.False
SBD-006Ensure the TPM Chip is 'activated'.The TPM Chip is not 'activated'.False
SBD-007Ensure the TPM Chip is 'owned'.The TPM Chip is not 'owned'.False
SBD-008Ensure the TPM Chip is implementing specification version 2.0 or higher.No TPM Chip detected.None
SBD-009Get the count of local users on the system.System has 3-5 local users.Warning
SBD-010Get the count of admin users on the system.CompliantTrue
SBD-011Ensure the status of the Bitlocker service is 'Running'.Bitlocker feature is not installed.False
SBD-012Ensure that Bitlocker is activated on all volumes.Bitlocker feature is not installed.False
SBD-013Ensure the status of the Windows Defender service is 'Running'.CompliantTrue
SBD-014Ensure the status of the Microsoft Defender for Endpoint service is 'Running'.Service is not 'Running' (More info).False
SBD-015Ensure the Windows Firewall is enabled on all profiles.CompliantTrue
SBD-016Check if the last successful search for updates was in the past 24 hours.Last search for updates was more than 5 days ago.False
SBD-017Check if the last successful installation of updates was in the past 5 days.CompliantTrue
SBD-018Ensure Virtualization Based Security is enabled and running.VBS is not activated.False
SBD-019Ensure Hypervisor-protected Code Integrity (HVCI) is running.HVCI is not running.False
SBD-020Ensure Credential Guard is running.Credential Guard is not running.False
SBD-021Ensure the Attack Surface Reduction (ASR) rules are enabled.ASR rules are not enabled.False
SBD-022Ensure Windows Defender Application Guard is enabled.Windows Defender Application Guard is not enabled.False

Microsoft Benchmarks-

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-001Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-002Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-003Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.Registry key not found.False
Registry-004Set registry value 'CheckExeSignatures' to yes.Registry key not found.False
Registry-005Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.Registry key not found.False
Registry-006Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.Registry key not found.False
Registry-007Set registry value 'Isolation' to PMEM.Registry key not found.False
Registry-008Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-009Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-010Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-011Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-012Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-013Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-014Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-015Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-016Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-017Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-018Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-019Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-020Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-021Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-022Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-023Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-024Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-025Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-026Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-027Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-028Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-029Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-030Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-031Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-032Set registry value 'PreventOverrideAppRepUnknown' to 1.Registry key not found.False
Registry-033Set registry value 'PreventOverride' to 1.Registry key not found.False
Registry-034Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry key not found.False
Registry-035Set registry value 'NoCrashDetection' to 1.Registry key not found.False
Registry-036Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.Registry key not found.False
Registry-037Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-038Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-039Set registry value 'Security_zones_map_edit' to 1.Registry value not found.False
Registry-040Set registry value 'Security_options_edit' to 1.Registry value not found.False
Registry-041Set registry value 'Security_HKLM_only' to 1.Registry value not found.False
Registry-042Ensure 'Check for server certificate revocation' is set to 'Enabled'.Registry value not found.False
Registry-043Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.Registry value not found.False
Registry-044Set registry value 'WarnOnBadCertRecving' to 1.Registry value not found.False
Registry-045Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-046Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.Registry value not found.False
Registry-047Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-048Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-049Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-050Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-051Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-052Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-053Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.Registry key not found.False
Registry-054Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-055Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-056Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-057Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-058Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-059Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-060Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-061Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-062Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-063Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-064Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-065Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-066Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-067Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-068Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-069Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-070Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-071Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-072Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-073Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-074Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-075Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-076Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-077Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-078Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-079Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-080Ensure 'Logon options' is set to 'Prompt for user name and password'.Registry key not found.False
Registry-081Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-082Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-083Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-084Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-085Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-086Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-087Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-088Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-089Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-090Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-091Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry key not found.False
Registry-092Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-093Set registry value '140C' to 3.Registry key not found.False
Registry-094Ensure 'Allow META REFRESH' is set to 'Disable'.Registry key not found.False
Registry-095Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-096Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-097Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-098Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-099Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-100Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-101Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-102Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-103Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-104Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-105Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-106Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-107Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-108Ensure 'Allow binary and script behaviors' is set to 'Disable'.Registry key not found.False
Registry-109Ensure 'Scripting of Java applets' is set to 'Disable'.Registry key not found.False
Registry-110Ensure 'Allow file downloads' is set to 'Disable'.Registry key not found.False
Registry-111Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-112Ensure 'Allow active scripting' is set to 'Disable'.Registry key not found.False
Registry-113Ensure 'Logon options' is set to 'Anonymous logon'.Registry key not found.False
Registry-114Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-115Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-116Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-117Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-118Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-119Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-120Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-121Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-122Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-123Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-124Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-125Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.Registry key not found.False
Registry-126Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-127Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-128Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.Registry key not found.False
Registry-129Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-130Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry key not found.False
Registry-131Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-132Set registry value '140C' to 3.Registry key not found.False
Registry-133Ensure 'Turn off Autoplay' is set to 'All drives'.Registry value not found.False
Registry-134Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.Registry value not found.False
Registry-135Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.CompliantTrue
Registry-136Set registry value 'LocalAccountTokenFilterPolicy' to 0.Registry value not found.False
Registry-137Set registry value 'AllowEncryptionOracle' to 0.Registry key not found.False
Registry-138Set registry value 'EnhancedAntiSpoofing' to 1.Registry key not found.False
Registry-139Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.Registry key not found.False
Registry-140Set registry value 'AllowProtectedCreds' to 1.Registry key not found.False
Registry-141Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-142Ensure 'Specify the maximum log file size (KB)' is set to '196608'.Registry key not found.False
Registry-143Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-144Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry key not found.False
Registry-145Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-146Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-148Ensure 'Allow user control over installs' is set to 'Disabled'.Registry key not found.False
Registry-149Set registry value 'DeviceEnumerationPolicy' to 0.Registry key not found.False
Registry-150Ensure 'Enable insecure guest logons' is set to 'Disabled'.Registry key not found.False
Registry-151Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-152Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-153Set registry value 'NoLockScreenCamera' to 1.Registry key not found.False
Registry-154Set registry value 'NoLockScreenSlideshow' to 1.Registry key not found.False
Registry-155Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.Registry key not found.False
Registry-156Ensure 'Turn on PowerShell Script Block Logging' is not set.Compliant. Registry key not found.True
Registry-157Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.Registry value not found.False
Registry-158Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.Registry value not found.False
Registry-159Set registry value 'ShellSmartScreenLevel' to Block.Registry value not found.False
Registry-160Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.Registry key not found.False
Registry-161Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-162Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-163Ensure 'Disallow Digest authentication' is set to 'Enabled'.Registry key not found.False
Registry-164Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-165Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-166Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.Registry key not found.False
Registry-167Ensure 'Turn off multicast name resolution' is set to 'Enabled'.Registry key not found.False
Registry-168Set registry value 'RestrictDriverInstallationToAdministrators' to 1.Registry key not found.False
Registry-169Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.Registry key not found.False
Registry-170Set registry value 'DisablePasswordSaving' to 1.Registry value not found.False
Registry-171Set registry value 'fDisableCdm' to 1.Registry value not found.False
Registry-172Set registry value 'fPromptForPassword' to 1.Registry value not found.False
Registry-173Set registry value 'fEncryptRPCTraffic' to 1.Registry value not found.False
Registry-174Set registry value 'MinEncryptionLevel' to 3.Registry value not found.False
Registry-175Set registry value 'PolicyVersion' to 538.Registry key not found.False
Registry-176Domain: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-177Domain: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-178Domain: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-179Private: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-180Private: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-181Private: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-182Public: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-183Public: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-184Public: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-185Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry key not found.False
Registry-186Set registry value 'AdmPwdEnabled' to 1.Registry key not found.False
Registry-187Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.Registry value not found.False
Registry-188Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
Registry-189Set registry value 'DriverLoadPolicy' to 3.Registry key not found.False
Registry-190Ensure 'Configure SMB v1 server' is set to 'Disabled'.Registry value not found.False
Registry-191Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.Registry key not found.False
Registry-192Set registry value 'NoNameReleaseOnDemand' to 1.Registry value not found.False
Registry-193Set registry value 'NodeType' to 2.Registry value not found.False
Registry-194Set registry value 'EnableICMPRedirect' to 0.Registry value not found.False
Registry-195Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-196Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-197Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA).Registry value not found.False
Registry-198Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-199Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-200Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-201Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-202Set registry value 'RestrictAnonymous' to 1.Registry value is '0'. Expected: 1False
Registry-203Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-204Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-205Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-206Set registry value 'requiresecuritysignature' to 1.Registry value is '0'. Expected: 1False
Registry-207Set registry value 'RequireSecuritySignature' to 1.Registry value is '0'. Expected: 1False
Registry-208Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-209Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-210Set registry value 'NTLMMinServerSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-211Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-212Set registry value 'NTLMMinClientSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-213Set registry value 'LmCompatibilityLevel' to 5.Registry value not found.False
Registry-214Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-215Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-216Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-217Set registry value 'ConsentPromptBehaviorAdmin' to 2.Registry value is '5'. Expected: 2False
Registry-218Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-219Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-220Set registry value 'FilterAdministratorToken' to 1.Registry value not found.False
Registry-221Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-222Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.Registry value not found.False
Registry-223Set registry value 'ScRemoveOption' to 1.Registry value is '0'. Expected: 1False
Registry-224Set registry value 'InactivityTimeoutSecs' to 900.Registry value not found.False
Registry-225Set registry value 'allownullsessionfallback' to 0.Registry value not found.False
Registry-273Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.Registry key not found.False
Registry-274Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.Registry key not found.False
Registry-275Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-276Set registry value 'HVCIMATRequired' to 1.Registry key not found.False
Registry-277Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-278Set registry value 'ConfigureSystemGuardLaunch' to 1.Registry key not found.False
Registry-279Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.Registry key not found.False
Registry-280Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.Registry key not found.False
Registry-281Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-282Set registry value 'HVCIMATRequired' to 1.Registry key not found.False
Registry-283Ensure 'Turn On Virtualization Based Security' is set to 'Disabled'.Registry key not found.False
Registry-284Set registry value 'ConfigureSystemGuardLaunch' to 1.Registry key not found.False
Registry-285Set registry value 'PUAProtection' to 1.Registry key not found.False
Registry-286Set registry value 'MpCloudBlockLevel' to 2.Registry key not found.False
Registry-287Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.Registry key not found.False
Registry-288Ensure 'Turn off real-time protection' is set to 'Disabled'.Registry key not found.False
Registry-289Set registry value 'DisableScriptScanning' to 0.Registry key not found.False
Registry-290Ensure 'Scan removable drives' is set to 'Enabled'.Registry key not found.False
Registry-291Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry key not found.False
Registry-292Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry key not found.False
Registry-293Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry key not found.False
Registry-294Set registry value 'ExploitGuard_ASR_Rules' to 1.Registry key not found.False
Registry-295Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)Registry key not found.False
Registry-296Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)Registry key not found.False
Registry-297Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)Registry key not found.False
Registry-298Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)Registry key not found.False
Registry-299Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)Registry key not found.False
Registry-300Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)Registry key not found.False
Registry-301Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)Registry key not found.False
Registry-302Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))Registry key not found.False
Registry-303Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)Registry key not found.False
Registry-304Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)Registry key not found.False
Registry-305Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)Registry key not found.False
Registry-306Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware)Registry key not found.False
Registry-307Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)Registry key not found.False
Registry-308Set registry value 'EnableNetworkProtection' to 1.Registry key not found.False
Registry-316Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-317Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-318Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-319Ensure 'Turn off Autoplay' is set to 'All drives'.Registry value not found.False
Registry-320Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.Registry value not found.False
Registry-321Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.CompliantTrue
Registry-322Set registry value 'AllowEncryptionOracle' to 0.Registry key not found.False
Registry-323Set registry value 'EnhancedAntiSpoofing' to 1.Registry key not found.False
Registry-324Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.Registry key not found.False
Registry-325Set registry value 'AllowProtectedCreds' to 1.Registry key not found.False
Registry-326Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-327Ensure 'Specify the maximum log file size (KB)' is set to '196608'.Registry key not found.False
Registry-328Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-329Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry key not found.False
Registry-330Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-331Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-332Set registry value 'AlwaysInstallElevated' to 0.Registry key not found.False
Registry-333Ensure 'Allow user control over installs' is set to 'Disabled'.Registry key not found.False
Registry-334Set registry value 'DeviceEnumerationPolicy' to 0.Registry key not found.False
Registry-335Ensure 'Enable insecure guest logons' is set to 'Disabled'.Registry key not found.False
Registry-336Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-337Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-338Set registry value 'NoLockScreenCamera' to 1.Registry key not found.False
Registry-339Set registry value 'NoLockScreenSlideshow' to 1.Registry key not found.False
Registry-340Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.Registry key not found.False
Registry-341Ensure 'Turn on PowerShell Script Block Logging' is not set.Compliant. Registry key not found.True
Registry-343Set registry value 'EnforcementMode' to 1.Registry key not found.False
Registry-358Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.Registry value not found.False
Registry-359Set registry value 'ShellSmartScreenLevel' to Block.Registry value not found.False
Registry-360Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.Registry key not found.False
Registry-361Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-362Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-363Ensure 'Disallow Digest authentication' is set to 'Enabled'.Registry key not found.False
Registry-364Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-365Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-366Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.Registry key not found.False
Registry-367Ensure 'Turn off multicast name resolution' is set to 'Enabled'.Registry key not found.False
Registry-368Set registry value 'RestrictDriverInstallationToAdministrators' to 1.Registry key not found.False
Registry-369Set registry value 'DisablePasswordSaving' to 1.Registry value not found.False
Registry-370Set registry value 'fDisableCdm' to 1.Registry value not found.False
Registry-371Set registry value 'fPromptForPassword' to 1.Registry value not found.False
Registry-372Set registry value 'fEncryptRPCTraffic' to 1.Registry value not found.False
Registry-373Set registry value 'MinEncryptionLevel' to 3.Registry value not found.False
Registry-374Set registry value 'PolicyVersion' to 538.Registry key not found.False
Registry-375Domain: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-376Domain: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-377Domain: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-378Private: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-379Private: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-380Private: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-381Public: Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-382Public: Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-383Public: Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-384Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry key not found.False
Registry-385Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.Registry value not found.False
Registry-386Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
Registry-387Set registry value 'DriverLoadPolicy' to 3.Registry key not found.False
Registry-388Ensure 'Configure SMB v1 server' is set to 'Disabled'.Registry value not found.False
Registry-389Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.Registry key not found.False
Registry-390Set registry value 'NoNameReleaseOnDemand' to 1.Registry value not found.False
Registry-391Set registry value 'NodeType' to 2.Registry value not found.False
Registry-392Set registry value 'EnableICMPRedirect' to 0.Registry value not found.False
Registry-393Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-394Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-395Set registry value 'allownullsessionfallback' to 0.Registry value not found.False
Registry-396Set registry value 'InactivityTimeoutSecs' to 900.Registry value not found.False
Registry-397Set registry value 'ScRemoveOption' to 1.Registry value is '0'. Expected: 1False
Registry-398Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.Registry value not found.False
Registry-399Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-400Set registry value 'FilterAdministratorToken' to 1.Registry value not found.False
Registry-401Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-402Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-403Set registry value 'ConsentPromptBehaviorAdmin' to 2.Registry value is '5'. Expected: 2False
Registry-404Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-405Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-406Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-407Set registry value 'LmCompatibilityLevel' to 5.Registry value not found.False
Registry-408Set registry value 'NTLMMinClientSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-409Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-410Set registry value 'NTLMMinServerSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-411Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-423Set registry value 'LDAPServerIntegrity' to 2.Registry key not found.False
Registry-424Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled, always (recommended)'.Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-227Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-228Ensure 'SeCreateTokenPrivilege' is set to ''CompliantTrue
UserRight-229Ensure 'SeTrustedCredManAccessPrivilege' is set to ''CompliantTrue
UserRight-230Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-231Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-232Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-233Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-234Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'CompliantTrue
UserRight-235Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-236Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544'The user right 'SeInteractiveLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup OperatorsFalse
UserRight-237Ensure 'SeEnableDelegationPrivilege' is set to ''CompliantTrue
UserRight-238Ensure 'SeCreatePermanentPrivilege' is set to ''CompliantTrue
UserRight-239Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-240Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-241Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-242Ensure 'SeNetworkLogonRight' is set to 'S-1-5-11, S-1-5-32-544'The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated UsersFalse
UserRight-243Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-114'The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account and member of Administrators groupFalse
UserRight-244Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-20, S-1-5-19, S-1-5-6, S-1-5-32-544'The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRSFalse
UserRight-245Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-246Ensure 'SeLockMemoryPrivilege' is set to ''CompliantTrue
UserRight-247Ensure 'SeTcbPrivilege' is set to ''CompliantTrue
UserRight-248Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544'CompliantTrue
UserRight-249Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113'The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
UserRight-428Ensure 'SeTrustedCredManAccessPrivilege' is set to ''CompliantTrue
UserRight-429Ensure 'SeRemoteInteractiveLogonRight' is set to 'S-1-5-32-544'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Remote Desktop UsersFalse

Account Policies-

IdTaskMessageStatus
AccountPolicy-309Ensure 'MinimumPasswordLength' is set to '14'.'MinimumPasswordLength' currently set to: 0. Expected: 14False
AccountPolicy-310Ensure 'PasswordComplexity' is set to '1'.CompliantTrue
AccountPolicy-311Ensure 'PasswordHistorySize' is set to '24'.'PasswordHistorySize' currently set to: 0. Expected: 24False
AccountPolicy-312Ensure 'LockoutBadCount' is set to '10'.'LockoutBadCount' currently set to: 0. Expected: 10False
AccountPolicy-313Ensure 'ResetLockoutCount' is set to '15'.Currently not set.False
AccountPolicy-314Ensure 'LockoutDuration' is set to '15'.Currently not set.False
AccountPolicy-315Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-250Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-251Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-252Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-253Ensure 'Plug and Play Events' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-254Ensure 'Process Creation' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-255Ensure 'Account Lockout' is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-256Ensure 'Group Membership' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-257Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-258Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-259Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-260Ensure 'Detailed File Share' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-261Ensure 'File Share' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-262Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-263Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-264Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-265Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-266Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-267Ensure 'Other Policy Change Events' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-268Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-269Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-270Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-271Ensure 'Security System Extension' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-272Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-449Ensure 'Kerberos Authentication Service' is set to 'Success' and is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-450Ensure 'Kerberos Service Ticket Operations' is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-451Ensure 'Computer Account Management' is set to 'Success'.CompliantTrue
AuditPolicy-452Ensure 'Other Account Management Events' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-457Ensure 'Directory Service Access' is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-458Ensure 'Directory Service Changes' is set to 'Success'.Set to: No AuditingFalse

CIS Benchmarks-

This section contains all benchmarks from CIS

Registry Settings/Group Policies-

IdTaskMessageStatus
1.1.6(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'Registry value not found.False
2.3.1.2(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'Registry value not found.False
2.3.1.4(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'CompliantTrue
2.3.2.1(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'Registry value not found.False
2.3.2.2(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
2.3.4.1(L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'Registry value not found.False
2.3.4.2(L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'CompliantTrue
2.3.5.1(L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)Registry value not found.False
2.3.5.2(L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)Compliant. Registry value not found.True
2.3.5.3(L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)Registry key not found.False
2.3.5.4(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)Registry key not found.False
2.3.5.5(L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)Registry value not found.False
2.3.6.1(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'CompliantTrue
2.3.6.2(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.3(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'CompliantTrue
2.3.6.4(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'CompliantTrue
2.3.6.5(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'CompliantTrue
2.3.6.6(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'CompliantTrue
2.3.7.1(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'CompliantTrue
2.3.7.2(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'Registry value is '0'. Expected: 1False
2.3.7.3(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'Registry value not found.False
2.3.7.4(L1) Configure 'Interactive logon: Message text for users attempting to log on'CompliantTrue
2.3.7.5(L1) Configure 'Interactive logon: Message title for users attempting to log on'Registry value is ''. Expected: Matching expression '.+'False
2.3.7.6(L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)Registry value is '10'. Expected: Matching expression '^[43210]$'False
2.3.7.7(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'CompliantTrue
2.3.7.8(L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)Registry value is '0'. Expected: 1False
2.3.7.9(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higherRegistry value is '0'. Expected: Matching expression '^(1|2|3)$'False
2.3.8.1(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'Registry value is '0'. Expected: 1False
2.3.8.2(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'CompliantTrue
2.3.8.3(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'CompliantTrue
2.3.9.1(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'CompliantTrue
2.3.9.2(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'Registry value is '0'. Expected: 1False
2.3.9.3(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'Registry value is '0'. Expected: 1False
2.3.9.4(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'CompliantTrue
2.3.9.5(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)Registry value not found.False
2.3.10.1(L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'Registry value not found.False
2.3.10.2(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)CompliantTrue
2.3.10.3(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)Registry value is '0'. Expected: 1False
2.3.10.4(L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'Registry value is '0'. Expected: 1False
2.3.10.5(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'CompliantTrue
2.3.10.6(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)Registry value is ''. Expected: LSARPC NETLOGON SAMRFalse
2.3.10.7(L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)CompliantTrue
2.3.10.8(L1) Configure 'Network access: Remotely accessible registry paths' is configuredCompliantTrue
2.3.10.9(L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configuredRegistry value is 'System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog'. Expected: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\WINSFalse
2.3.10.10(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'CompliantTrue
2.3.10.11(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)Registry value not found.False
2.3.10.12(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'Compliant. Registry value not found.True
2.3.10.13(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'CompliantTrue
2.3.11.1(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'Registry value not found.False
2.3.11.2(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'Registry value not found.False
2.3.11.3(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'Registry key not found.False
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'Registry key not found.False
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'CompliantTrue
2.3.11.7(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'Registry value not found.False
2.3.11.8(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higherCompliantTrue
2.3.11.9(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'Registry value is '536870912'. Expected: 537395200False
2.3.11.10(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'Registry value is '536870912'. Expected: 537395200False
2.3.13.1(L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'CompliantTrue
2.3.15.1(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'CompliantTrue
2.3.15.2(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'CompliantTrue
2.3.17.1(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'Registry value not found.False
2.3.17.2(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'Registry value is '5'. Expected: 2False
2.3.17.3(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'Registry value is '3'. Expected: 0False
2.3.17.4(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'CompliantTrue
2.3.17.5(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'CompliantTrue
2.3.17.6(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'CompliantTrue
2.3.17.7(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'CompliantTrue
2.3.17.8(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'CompliantTrue
5.1(L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) Registry value is '2'. Expected: x == 4False
5.2(L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only)Registry value is '2'. Expected: 4False
9.1.1(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'Registry key not found.False
9.1.2(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'Registry key not found.False
9.1.3(L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'Registry key not found.False
9.1.4(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'Registry key not found.False
9.1.5(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'Registry key not found.False
9.1.6(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.2.1(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'Registry key not found.False
9.2.2(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'Registry key not found.False
9.2.3(L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'Registry key not found.False
9.2.4(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'Registry key not found.False
9.2.5(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'Registry key not found.False
9.2.6(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.2.7(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.2.8(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
9.3.1(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'Registry key not found.False
9.3.2(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'Registry key not found.False
9.3.3(L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'Registry key not found.False
9.3.4(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'Registry key not found.False
9.3.5(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'Registry key not found.False
9.3.6(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'Registry key not found.False
9.3.7(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'Registry key not found.False
9.3.8(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'Registry key not found.False
9.3.9(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'Registry key not found.False
9.3.10(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'Registry key not found.False
18.1.1.1(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'Registry key not found.False
18.1.1.2(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'Registry key not found.False
18.1.2.2(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'Registry key not found.False
18.1.3(L2) Ensure 'Allow Online Tips' is set to 'Disabled'Registry value not found.False
18.2.2(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)Registry key not found.False
18.2.3(L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)Registry key not found.False
18.2.4(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)Registry key not found.False
18.2.5(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)Registry key not found.False
18.2.6(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)Registry key not found.False
18.3.1(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)Registry value not found.False
18.3.2(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'Registry key not found.False
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'Registry value not found.False
18.3.4(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'CompliantTrue
18.3.5(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated)Registry key not found.False
18.3.6(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'Registry value not found.False
18.3.7(L1) Ensure 'WDigest Authentication' is set to 'Disabled'Registry value not found.False
18.4.1(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'Registry value not found.False
18.4.2(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'Registry value not found.False
18.4.3(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'Registry value not found.False
18.4.4(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'Registry value not found.False
18.4.5(L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'Registry value not found.False
18.4.6(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'Registry value not found.False
18.4.7(L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'Registry value not found.False
18.4.8(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'Registry value not found.False
18.4.9(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'Registry value not found.False
18.4.10(L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'Registry value not found.False
18.4.11(L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'Registry value not found.False
18.4.12(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'Registry value not found.False
18.5.4.1(L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higherRegistry key not found.False
18.5.4.2(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'Registry key not found.False
18.5.5.1(L2) Ensure 'Enable Font Providers' is set to 'Disabled'Registry value not found.False
18.5.8.1(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'Registry key not found.False
18.5.9.1 A(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (AllowLLTDIOOnDomain)Registry key not found.False
18.5.9.1 B(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (AllowLLTDIOOnPublicNet)Registry key not found.False
18.5.9.1 C(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (EnableLLTDIO)Registry key not found.False
18.5.9.1 D(L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (ProhibitLLTDIOOnPrivateNet)Registry key not found.False
18.5.9.2 A(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnDomain)Registry key not found.False
18.5.9.2 B(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (AllowRspndrOnPublicNet)Registry key not found.False
18.5.9.2 C(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (EnableRspndr)Registry key not found.False
18.5.9.2 D(L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (ProhibitRspndrOnPrivateNet)Registry key not found.False
18.5.10.2(L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'Registry key not found.False
18.5.11.2(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'Registry value not found.False
18.5.11.3(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'Registry value not found.False
18.5.11.4(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'Registry value not found.False
18.5.14.1 A(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (\\*\SYSVOL)Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1False
18.5.14.1 B(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (\\*\NETLOGON)Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1False
18.5.19.2.1(L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')Registry value not found.False
18.5.20.1 A(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (EnableRegistrars)Registry key not found.False
18.5.20.1 B(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableUPnPRegistrar)Registry key not found.False
18.5.20.1 C(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableInBand802DOT11Registrar)Registry key not found.False
18.5.20.1 D(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableFlashConfigRegistrar)Registry key not found.False
18.5.20.1 E(L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (DisableWPDRegistrar)Registry key not found.False
18.5.20.2(L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'Registry key not found.False
18.5.21.1(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'Registry value not found.False
18.5.21.2(L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)Registry value not found.False
18.6.1(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' Registry key not found.False
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' Registry key not found.False
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'Registry key not found.False
18.7.1.1(L2) Ensure 'Turn off notifications network usage' is set to 'Enabled'Registry key not found.False
18.8.3.1(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'Registry value not found.False
18.8.4.1(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'Registry key not found.False
18.8.4.2(L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'Registry key not found.False
18.8.5.1(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'Registry key not found.False
18.8.5.2(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'Registry key not found.False
18.8.5.3(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'Registry key not found.False
18.8.5.4(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'Registry key not found.False
18.8.5.5(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)Registry key not found.False
18.8.5.6(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)Registry key not found.False
18.8.5.7(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'Registry key not found.False
18.8.7.2(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated)Registry key not found.False
18.8.14.1(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'Registry key not found.False
18.8.21.2(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'Registry key not found.False
18.8.21.3(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'Registry key not found.False
18.8.21.4(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'Registry value not found.False
18.8.21.5(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'Registry value not found.False
18.8.22.1.1(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'Registry key not found.False
18.8.22.1.2(L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'Registry key not found.False
18.8.22.1.3(L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'Registry key not found.False
18.8.22.1.4(L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'Registry key not found.False
18.8.22.1.5(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'Registry value not found.False
18.8.22.1.6(L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'Registry key not found.False
18.8.22.1.7(L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'Registry key not found.False
18.8.22.1.8(L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'Registry key not found.False
18.8.22.1.9(L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'Registry value not found.False
18.8.22.1.10(L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'Registry value not found.False
18.8.22.1.11(L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'Registry key not found.False
18.8.22.1.12(L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'Registry key not found.False
18.8.22.1.13 A(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Disabled)Registry key not found.False
18.8.22.1.13 B(L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (DoReport)Registry key not found.False
18.8.25.1 A(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior)Registry key not found.False
18.8.25.1 B(L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled)Registry key not found.False
18.8.26.1(L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'Registry key not found.False
18.8.27.1(L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'Registry key not found.False
18.8.28.1(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'Registry value not found.False
18.8.28.2(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'Registry value not found.False
18.8.28.3(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'Registry value not found.False
18.8.28.4(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)Registry value not found.False
18.8.28.5(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'Registry value not found.False
18.8.28.6(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'Registry value not found.False
18.8.28.7(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'Registry value not found.False
18.8.31.1(L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'Registry value not found.False
18.8.31.2(L2) Ensure 'Allow upload of User Activities' is set to 'Disabled'Registry value not found.False
18.8.34.6.1(L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'Registry key not found.False
18.8.34.6.2(L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'Registry key not found.False
18.8.34.6.3(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'Registry key not found.False
18.8.34.6.4(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'Registry key not found.False
18.8.36.1(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'Registry value not found.False
18.8.36.2(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'Registry value not found.False
18.8.37.1(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)Registry key not found.False
18.8.37.2(L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)Registry key not found.False
18.8.40.1(L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only)Registry key not found.False
18.8.48.5.1(L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'Registry key not found.False
18.8.48.11.1(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'Registry key not found.False
18.8.50.1(L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'Registry key not found.False
18.8.53.1.1(L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'Registry key not found.False
18.8.53.1.2(L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)Registry key not found.False
18.9.4.1(L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'Registry key not found.False
18.9.6.1(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'Registry value not found.False
18.9.8.1(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'Registry key not found.False
18.9.8.2(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'Registry value not found.False
18.9.8.3(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'Registry value not found.False
18.9.10.1.1(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'Registry key not found.False
18.9.12.1(L2) Ensure 'Allow Use of Camera' is set to 'Disabled'Registry key not found.False
18.9.14.1(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' Registry key not found.False
18.9.14.2(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'Registry key not found.False
18.9.15.1(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'Registry key not found.False
18.9.16.1(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'Registry key not found.False
18.9.16.2(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'Registry key not found.False
18.9.17.1(L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'Registry value not found.False
18.9.17.2(L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'Registry value not found.False
18.9.17.3(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'Registry value not found.False
18.9.17.4(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'Registry value not found.False
18.9.17.5(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'Registry key not found.False
18.9.17.6(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' Registry value not found.False
18.9.17.7(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'Registry value not found.False
18.9.17.8(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'Registry key not found.False
18.9.27.1.1(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'Registry key not found.False
18.9.27.1.2(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'Registry key not found.False
18.9.27.2.1(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'Registry key not found.False
18.9.27.2.2(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'Registry key not found.False
18.9.27.3.1(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'Registry key not found.False
18.9.27.3.2(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'Registry key not found.False
18.9.27.4.1(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'Registry key not found.False
18.9.27.4.2(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'Registry key not found.False
18.9.31.2(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'Registry key not found.False
18.9.31.3(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'Registry key not found.False
18.9.31.4(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'Registry value not found.False
18.9.41.1(L2) Ensure 'Turn off location' is set to 'Enabled'Registry key not found.False
18.9.45.1(L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'Registry key not found.False
18.9.46.1(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'Registry key not found.False
18.9.47.4.1(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'Registry key not found.False
18.9.47.4.2(L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'Compliant. Registry key not found.True
18.9.47.5.1.1(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'Registry value not found.False
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office communication application from creating child processes' is configuredRegistry key not found.False
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating executable content' is configuredRegistry key not found.False
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Block execution of potentially obfuscated scripts' is configuredRegistry key not found.False
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configuredRegistry key not found.False
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Block Adobe Reader from creating child processes' is configuredRegistry key not found.False
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Block Win32 API calls from Office macro' is configuredRegistry key not found.False
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Block credential stealing from the Windows local security authority subsystem (lsass.exe))' is configuredRegistry key not found.False
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Block untrusted and unsigned processes that run from USB' is configuredRegistry key not found.False
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Block executable content from email client and webmail' is configuredRegistry key not found.False
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Block JavaScript or VBScript from launching downloaded executable content' is configuredRegistry key not found.False
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Block Office applications from creating child processes' is configuredRegistry key not found.False
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Block persistence through WMI event subscription' is configuredRegistry key not found.False
18.9.47.5.3.1(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'Registry key not found.False
18.9.47.6.1(L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'Registry key not found.False
18.9.47.9.1(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'Registry key not found.False
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'Registry key not found.False
18.9.47.9.3(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'Registry key not found.False
18.9.47.9.4(L1) Ensure 'Turn on script scanning' is set to 'Enabled'Registry key not found.False
18.9.47.11.1(L2) Ensure 'Configure Watson events' is set to 'Disabled'Registry key not found.False
18.9.47.12.1(L1) Ensure 'Scan removable drives' is set to 'Enabled'Registry key not found.False
18.9.47.12.2(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'Registry key not found.False
18.9.47.15(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'Registry key not found.False
18.9.47.16(L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'Registry key not found.False
18.9.58.1(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'Registry key not found.False
18.9.64.1(L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'Registry key not found.False
18.9.65.2.2(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'Registry value not found.False
18.9.65.3.2.1(L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'Registry value not found.False
18.9.65.3.3.1(L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' Registry value not found.False
18.9.65.3.3.2(L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled'Registry value not found.False
18.9.65.3.3.3(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'Registry value not found.False
18.9.65.3.3.4(L2) Ensure 'Do not allow location redirection' is set to 'Enabled'Registry value not found.False
18.9.65.3.3.5(L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'Registry value not found.False
18.9.65.3.3.6(L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'Registry value not found.False
18.9.65.3.9.1(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'Registry value not found.False
18.9.65.3.9.2(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'Registry value not found.False
18.9.65.3.9.3(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'Registry value not found.False
18.9.65.3.9.4(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'Registry value not found.False
18.9.65.3.9.5(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'Registry value not found.False
18.9.65.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)'Registry value not found.False
18.9.65.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'Registry value not found.False
18.9.65.3.11.1(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'Registry value not found.False
18.9.65.3.11.2(L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'Registry value not found.False
18.9.66.1(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'Registry key not found.False
18.9.67.2(L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'Compliant. Registry key not found.True
18.9.67.3(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'Registry key not found.False
18.9.72.1(L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'Registry key not found.False
18.9.85.1.1 A(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (EnableSmartScreen)Registry value not found.False
18.9.85.1.1 B(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (ShellSmartScreenLevel)Registry value not found.False
18.9.89.1(L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'Registry key not found.False
18.9.89.2(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'Registry key not found.False
18.9.90.1(L1) Ensure 'Allow user control over installs' is set to 'Disabled'Registry key not found.False
18.9.90.2(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (LocalMachine)Registry key not found.False
18.9.90.3(L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'Registry key not found.False
18.9.91.1(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'CompliantTrue
18.9.100.1(L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'Registry key not found.False
18.9.100.2(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'Registry key not found.False
18.9.102.1.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Client)Registry key not found.False
18.9.102.1.2(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Client)Registry key not found.False
18.9.102.1.3(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'Registry key not found.False
18.9.102.2.1(L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Service)Registry key not found.False
18.9.102.2.2(L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'Registry key not found.False
18.9.102.2.3(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Service)Registry key not found.False
18.9.102.2.4(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'Registry key not found.False
18.9.103.1(L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'Registry key not found.False
18.9.105.2.1(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'Registry key not found.False
18.9.108.1.1(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'Registry value not found.False
18.9.108.2 A(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'Registry value not found.False
18.9.108.2.2(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'Registry value not found.False
18.9.108.4.1(L1) Ensure 'Manage preview builds' is set to 'Disabled'Registry value not found.False
18.9.108.4.2 A(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdates)Registry value not found.False
18.9.108.4.2 B(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays)Registry value not found.False
18.9.108.4.3 A(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdates)Registry value not found.False
18.9.108.4.3 B(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays)Registry value not found.False
19.1.3.1(L1) Ensure 'Enable screen saver' is set to 'Enabled'Registry key not found.False
19.1.3.2(L1) Ensure 'Password protect the screen saver' is set to 'Enabled'Registry key not found.False
19.1.3.3(L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'Registry key not found.False
19.5.1.1(L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'Registry key not found.False
19.6.6.1.1(L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'Registry key not found.False
19.7.4.1(L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'Registry key not found.False
19.7.4.2(L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'Registry key not found.False
19.7.8.1(L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'Registry value not found.False
19.7.8.2(L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'Registry value not found.False
19.7.8.3(L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'Registry value not found.False
19.7.8.4(L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'Registry value not found.False
19.7.8.5(L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'Registry value not found.False
19.7.28.1(L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'Registry key not found.False
19.7.43.1(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (AlwaysInstallElevated)Registry key not found.False
19.7.47.2.1(L2) Ensure 'Prevent Codec Download' is set to 'Enabled'Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
2.2.1(L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'CompliantTrue
2.2.2(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSFalse
2.2.3(L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Authenticated UsersFalse
2.2.4(L1) Ensure 'Act as part of the operating system' is set to 'No One'CompliantTrue
2.2.5(L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)The user 'SeMachineAccountPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
2.2.6(L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.7(L1) Ensure 'Allow log on locally' is set to 'Administrators'The user right 'SeInteractiveLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup OperatorsFalse
2.2.8(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\Remote Desktop UsersFalse
2.2.9(L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)CompliantTrue
2.2.10(L1) Ensure 'Back up files and directories' is set to 'Administrators'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
2.2.11(L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'CompliantTrue
2.2.12(L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'CompliantTrue
2.2.13(L1) Ensure 'Create a pagefile' is set to 'Administrators'CompliantTrue
2.2.14(L1) Ensure 'Create a token object' is set to 'No One'CompliantTrue
2.2.15(L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'CompliantTrue
2.2.16(L1) Ensure 'Create permanent shared objects' is set to 'No One'CompliantTrue
2.2.17(L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)CompliantTrue
2.2.18 A(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)[Hyper-V-Feature NOT installed]CompliantTrue
2.2.18 B(L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)[Hyper-V-Feature installed]CompliantTrue
2.2.19(L1) Ensure 'Debug programs' is set to 'Administrators'CompliantTrue
2.2.20(L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\GuestsFalse
2.2.21(L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local account and member of Administrators groupFalse
2.2.22(L1) Ensure 'Deny log on as a batch job' to include 'Guests'The user 'SeDenyBatchLogonRight' setting does not contain the following users: BUILTIN\GuestsFalse
2.2.23(L1) Ensure 'Deny log on as a service' to include 'Guests'The user 'SeDenyServiceLogonRight' setting does not contain the following users: BUILTIN\GuestsFalse
2.2.24(L1) Ensure 'Deny log on locally' to include 'Guests'The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: BUILTIN\GuestsFalse
2.2.25(L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\GuestsFalse
2.2.26(L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local accountFalse
2.2.27(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)The user 'SeEnableDelegationPrivilege' setting does not contain the following users: BUILTIN\AdministratorsFalse
2.2.28(L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)CompliantTrue
2.2.29(L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'CompliantTrue
2.2.30 A(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (ADFS-ROLE NOT installed)CompliantTrue
2.2.30 B(L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (ADFS-ROLE installed)The user 'SeAuditPrivilege' setting does not contain the following users: Orphaned Account, Orphaned AccountFalse
2.2.31(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRSFalse
2.2.32 A(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (IIS Role NOT installed) (MS only)The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRSFalse
2.2.32 B(L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE, IIS_IUSRS' (IIS Role installed) (MS only)CompliantTrue
2.2.33(L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'CompliantTrue
2.2.34(L1) Ensure 'Load and unload device drivers' is set to 'Administrators'CompliantTrue
2.2.35(L1) Ensure 'Lock pages in memory' is set to 'No One'CompliantTrue
2.2.36(L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users, BUILTIN\IIS_IUSRSFalse
2.2.37(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)CompliantTrue
2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)CompliantTrue
2.2.39(L1) Ensure 'Modify an object label' is set to 'No One'CompliantTrue
2.2.40(L1) Ensure 'Modify firmware environment values' is set to 'Administrators'CompliantTrue
2.2.41(L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'CompliantTrue
2.2.42(L1) Ensure 'Profile single process' is set to 'Administrators'CompliantTrue
2.2.43(L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'CompliantTrue
2.2.44(L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
2.2.45(L1) Ensure 'Restore files and directories' is set to 'Administrators'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
2.2.46(L1) Ensure 'Shut down the system' is set to 'Administrators'The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
2.2.47(L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)CompliantTrue
2.2.48(L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'CompliantTrue

Account Policies-

IdTaskMessageStatus
1.1.1(L1) Ensure 'Enforce password history' is set to '24 or more password(s)''PasswordHistorySize' currently set to: 0. Expected: x >= 24False
1.1.2(L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'CompliantTrue
1.1.3(L1) Ensure 'Minimum password age' is set to '1 or more day(s)''MinimumPasswordAge' currently set to: 0. Expected: x >= 1 daysFalse
1.1.4(L1) Ensure 'Minimum password length' is set to '14 or more character(s)''MinimumPasswordLength' currently set to: 0. Expected: x >= 14False
1.1.5(L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'CompliantTrue
1.2.1(L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'Currently not set.False
1.2.2(L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0''LockoutBadCount' currently set to: 0. Expected: x <= 5 and x > 0False
1.2.3(L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'Currently not set.False

Advanced Audit Policy Configuration-

IdTaskMessageStatus
17.1.1(L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'Set to: SuccessFalse
17.1.2(L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)Set to: SuccessFalse
17.1.3(L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)Set to: SuccessFalse
17.2.1(L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'Set to: No AuditingFalse
17.2.2(L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)CompliantTrue
17.2.3(L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)Set to: No AuditingFalse
17.2.4(L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)Set to: No AuditingFalse
17.2.5(L1) Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
17.2.6(L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'Set to: SuccessFalse
17.3.1(L1) Ensure 'Audit PNP Activity' is set to include 'Success'Set to: No AuditingFalse
17.3.2(L1) Ensure 'Audit Process Creation' is set to include 'Success'Set to: No AuditingFalse
17.4.1(L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)Set to: SuccessFalse
17.4.2(L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)Set to: No AuditingFalse
17.5.1(L1) Ensure 'Audit Account Lockout' is set to include 'Failure'Set to: SuccessFalse
17.5.2(L1) Ensure 'Audit Group Membership' is set to include 'Success'Set to: No AuditingFalse
17.5.3(L1) Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
17.5.4(L1) Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
17.5.5(L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'Set to: No AuditingFalse
17.5.6(L1) Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
17.6.1(L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'Set to: No AuditingFalse
17.6.2(L1) Ensure 'Audit File Share' is set to 'Success and Failure'Set to: No AuditingFalse
17.6.3(L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'Set to: No AuditingFalse
17.6.4(L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'Set to: No AuditingFalse
17.7.1(L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
17.7.2(L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
17.7.3(L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'Set to: No AuditingFalse
17.7.4(L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'Set to: No AuditingFalse
17.7.5(L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'Set to: No AuditingFalse
17.8.1(L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'Set to: No AuditingFalse
17.9.1(L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'Set to: No AuditingFalse
17.9.2(L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
17.9.3(L1) Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
17.9.4(L1) Ensure 'Audit Security System Extension' is set to include 'Success'Set to: No AuditingFalse
17.9.5(L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • Security baseline for Microsoft Windows Server 2022, Version: FINAL, Date 2021-09-27
  • CIS Microsoft Windows Server 2022, Version: 1.0.0, Date 2022-02-14

This report was generated on 09/05/2022 05:26:18 on WIN-T74AI7HCI62 with ATAPHtmlReport version 1.8.

System information

HostnameWIN-T74AI7HCI62
Domain roleStandalone Server
Operating SystemMicrosoft Windows Server 2022 Standard Evaluation
Build Number20348
Installation LanguageEnglish (United States)
Free disk space (GB)7.9
Free physical memory (GB)20.3% (0.8 GB / 4.1 GB)

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 857 tests have been executed.

  1. True 144 test(s) ≙ 16.80%
  2. False 711 test(s) ≙ 82.96%
  3. Warning 1 test(s) ≙ 0.12%
  4. None 1 test(s) ≙ 0.12%
  5. Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 22 tests have been executed in section General Benchmarks.

  1. True 6 test(s) ≙ 27.27%
  2. False 14 test(s) ≙ 63.64%
  3. Warning 1 test(s) ≙ 4.55%
  4. None 1 test(s) ≙ 4.55%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 404 tests have been executed in section Microsoft Benchmarks.

  1. True 56 test(s) ≙ 13.86%
  2. False 348 test(s) ≙ 86.14%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 431 tests have been executed in section CIS Benchmarks.

  1. True 82 test(s) ≙ 19.03%
  2. False 349 test(s) ≙ 80.97%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity)Risk Assessment
More than 85%Low
Between 70% and 85%Medium
Between 55% and 70%High
Less than 55%Critical
Compliance to Benchmarks (Severity)Risk Assessment
All critical settings compliantLow
1 or more incompliant setting(s)Critical

Severity Compliance

-
IdTaskStatus
1.1.7(L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'True
2.2.38(L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)True
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None
2.3.5.2(L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)None
2.3.11.4(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'False
2.3.11.5(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'True
7.9 A(L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128)False
7.9 B(L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128)False
7.9 C(L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128)False
7.9 D(L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128)False
9.1.7(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'False
9.1.8(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'False
18.3.3(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'False
18.3.3(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'False
18.3.6(L1) Ensure 'WDigest Authentication' is set to 'Disabled'False
18.6.2(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'False
18.6.3(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'False
18.9.47.9.2(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'False
18.9.47.5.1.2 A(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)False
18.9.47.5.1.2 B(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)False
18.9.47.5.1.2 C(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)False
18.9.47.5.1.2 D(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes)False
18.9.47.5.1.2 E(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)False
18.9.47.5.1.2 F(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)False
18.9.47.5.1.2 G(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))False
18.9.47.5.1.2 H(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)False
18.9.47.5.1.2 I(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)False
18.9.47.5.1.2 J(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)False
18.9.47.5.1.2 K(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)False
18.9.47.5.1.2 L(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)False
18.9.48.11Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'False
18.9.58.3.10.1(L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'False
18.9.58.3.10.2(L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'False

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here

diff --git a/Samples/Outdated/Debian 10.html b/Samples/Outdated/Debian 10.html new file mode 100644 index 0000000..c7f0ba6 --- /dev/null +++ b/Samples/Outdated/Debian 10.html @@ -0,0 +1,12 @@ +Debian 10 Report [03/04/2022 11:31:00]

Debian 10 Report

Generated by the ATAPAuditor Module Version 4.14 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • Security baseline for Debian

This report was generated on 03/04/2022 11:31:00 on debian with TAPHtmlReport version 1.8.

Free physical memory (GB)2,3
Operating SystemDebian GNU/Linux 10 (buster)
Kernel Version4.19.0-18-amd64
Free disk space (GB)112,3
Installation Languagede_DE.UTF-8
Hostnamedebian

Summary

A total of 18 tests have been executed.

  1. True 15 test(s) ≙ 83.33%
  2. False 2 test(s) ≙ 11.11%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 5.56%
  5. Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 18 tests have been executed in section General Benchmarks.

  1. True 15 test(s) ≙ 83.33%
  2. False 2 test(s) ≙ 11.11%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 5.56%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

General Benchmarks-

This section contains the general benchmark results

Security Base Data-

IdTaskMessageStatus
DSBD-001Ensure the system is booting in UEFI mode.CompliantTrue
DSBD-002Ensure the system is using SecureBoot.CompliantTrue
DSBD-003Ensure the system has a TPM Chip.CompliantTrue
DSBD-004Ensure the TPM Chip is implementing specification version 2.0 or higher.CompliantTrue
DSBD-005Report the count of local users on the system.System has 40 local usersNone
DSBD-006Report the count of local interactive users on the system.CompliantTrue
DSBD-007Get the count of admin users on the system.CompliantTrue
DSBD-008Ensure the NX bit is set.CompliantTrue
DSBD-009Ensure the ASLR is enabled.CompliantTrue
DSBD-010Ensure AppArmor or SELinux is enabled.CompliantTrue
DSBD-011Ensure CPU has no known vulnerabilities.CompliantTrue
DSBD-012Ensure root login using SSH is not permitted.Login for root using SSH is permitted.False
DSBD-013Ensure a firewall is installed (ufw, iptables, nftables).CompliantTrue
DSBD-014Ensure /etc/passwd and /etc/passwd- have proper file permissions.CompliantTrue
DSBD-015Ensure /etc/shadow and /etc/shadow- have proper file permissions.CompliantTrue
DSBD-016Ensure /etc/group and /etc/group- have proper file permissions.CompliantTrue
DSBD-017Ensure /etc/gshadow and /etc/gshadow- have proper file permissions.CompliantTrue
DSBD-018Ensure /etc/ssh/sshd_config has proper file permissions.The file permissions are not set correctly.False
diff --git a/Samples/Outdated/GoogleChrome.dark.html b/Samples/Outdated/GoogleChrome.dark.html new file mode 100644 index 0000000..5b35b6f --- /dev/null +++ b/Samples/Outdated/GoogleChrome.dark.html @@ -0,0 +1 @@ +Google Chrome Audit Report [03/20/2019 15:37:02]
FB-Pro GmbH

Google Chrome Audit Report

Generated by the GoogleChromeAudit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Google Chrome Security Technical Implementation Guide V1R15 2019-01-25.

This report was generated at 03/20/2019 15:37:02 on ************.

Hostname*************
Build Number17763
Free disk space(GB) 46,3
Operating SystemMicrosoft Windows 10 Enterprise
Free physical memory (GB)7,669

Summary

A total of 36 tests have been run. 4 resulted in false. 0 resulted in warning.

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTBC-0001 Firewall traversal from remote host must be disabled. Compliant True
DTBC-0002 Site tracking users location must be disabled. Compliant True
DTBC-0003 Sites ability for showing desktop notifications must be disabled. Compliant True
DTBC-0004 Sites ability to show pop-ups must be disabled. Compliant True
DTBC-0005 Extensions installation must be blacklisted by default. Registry key not found. False
DTBC-0006 Extensions that are approved for use must be whitelisted. Registry key not found. False
DTBC-0009 Default search provider must be enabled. Registry value not found. False
DTBC-0011 The Password Manager must be disabled. Compliant True
DTBC-0013 The running of outdated plugins must be disabled. Compliant True
DTBC-0015 Third party cookies must be blocked. Compliant True
DTBC-0017 Background processing must be disabled. Compliant True
DTBC-0019 3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.) Compliant True
DTBC-0020 Google Data Synchronization must be disabled. Compliant True
DTBC-0021 The URL protocol schema javascript must be disabled. Compliant True
DTBC-0023 Cloud print sharing must be disabled. Compliant True
DTBC-0025 Network prediction must be disabled. Compliant True
DTBC-0026 Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.) Compliant True
DTBC-0027 Search suggestions must be disabled. Compliant True
DTBC-0029 Importing of saved passwords must be disabled. Compliant True
DTBC-0030 Incognito mode must be disabled. Compliant. Registry value not set. True
DTBC-0037 Online revocation checks must be done. Compliant True
DTBC-0038 Safe Browsing must be enabled, Compliant True
DTBC-0039 Browser history must be saved. Compliant True
DTBC-0040 Default behavior must block webpages from automatically running plugins. Compliant True
DTBC-0051 URLs must be whitelisted for plugin use Registry value not found. False
DTBC-0052 Deletion of browser history must be disabled. Compliant True
DTBC-0053 Prompt for download location must be enabled. Compliant True
DTBC-0056 Chrome must be configured to allow only TLS. Compliant True
DTBC-0057 Safe Browsing Extended Reporting must be disabled. Compliant True
DTBC-0058 WebUSB must be disabled. Compliant True
DTBC-0060 Chrome Cleanup must be disabled. Compliant True
DTBC-0061 Chrome Cleanup reporting must be disabled. Compliant True
DTBC-0063 Google Cast must be disabled. Compliant True
DTBC-0064 Autoplay must be disabled. Compliant True
DTBC-0066 Anonymized data collection must be disabled. Compliant True
DTBC-0067 Collection of WebRTC event logs must be disabled. Compliant True
diff --git a/Samples/Outdated/GoogleChrome.html b/Samples/Outdated/GoogleChrome.html new file mode 100644 index 0000000..3099862 --- /dev/null +++ b/Samples/Outdated/GoogleChrome.html @@ -0,0 +1 @@ +Google Chrome Audit Report [03/20/2019 15:31:01]
FB-Pro GmbH

Google Chrome Audit Report

Generated by the GoogleChromeAudit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Google Chrome Security Technical Implementation Guide V1R15 2019-01-25.

This report was generated at 03/20/2019 15:31:01 on ************.

Hostname************
Build Number17763
Free disk space(GB) 46,3
Operating SystemMicrosoft Windows 10 Enterprise
Free physical memory (GB)7,833

Summary

A total of 36 tests have been run. 4 resulted in false. 0 resulted in warning.

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTBC-0001 Firewall traversal from remote host must be disabled. Compliant True
DTBC-0002 Site tracking users location must be disabled. Compliant True
DTBC-0003 Sites ability for showing desktop notifications must be disabled. Compliant True
DTBC-0004 Sites ability to show pop-ups must be disabled. Compliant True
DTBC-0005 Extensions installation must be blacklisted by default. Registry key not found. False
DTBC-0006 Extensions that are approved for use must be whitelisted. Registry key not found. False
DTBC-0009 Default search provider must be enabled. Registry value not found. False
DTBC-0011 The Password Manager must be disabled. Compliant True
DTBC-0013 The running of outdated plugins must be disabled. Compliant True
DTBC-0015 Third party cookies must be blocked. Compliant True
DTBC-0017 Background processing must be disabled. Compliant True
DTBC-0019 3D Graphics APIs must be disabled. (Note: If 3D APIs are required by mission, this is not a finding.) Compliant True
DTBC-0020 Google Data Synchronization must be disabled. Compliant True
DTBC-0021 The URL protocol schema javascript must be disabled. Compliant True
DTBC-0023 Cloud print sharing must be disabled. Compliant True
DTBC-0025 Network prediction must be disabled. Compliant True
DTBC-0026 Metrics reporting to Google must be disabled. (Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.) Compliant True
DTBC-0027 Search suggestions must be disabled. Compliant True
DTBC-0029 Importing of saved passwords must be disabled. Compliant True
DTBC-0030 Incognito mode must be disabled. Compliant. Registry value not set. True
DTBC-0037 Online revocation checks must be done. Compliant True
DTBC-0038 Safe Browsing must be enabled, Compliant True
DTBC-0039 Browser history must be saved. Compliant True
DTBC-0040 Default behavior must block webpages from automatically running plugins. Compliant True
DTBC-0051 URLs must be whitelisted for plugin use Registry value not found. False
DTBC-0052 Deletion of browser history must be disabled. Compliant True
DTBC-0053 Prompt for download location must be enabled. Compliant True
DTBC-0056 Chrome must be configured to allow only TLS. Compliant True
DTBC-0057 Safe Browsing Extended Reporting must be disabled. Compliant True
DTBC-0058 WebUSB must be disabled. Compliant True
DTBC-0060 Chrome Cleanup must be disabled. Compliant True
DTBC-0061 Chrome Cleanup reporting must be disabled. Compliant True
DTBC-0063 Google Cast must be disabled. Compliant True
DTBC-0064 Autoplay must be disabled. Compliant True
DTBC-0066 Anonymized data collection must be disabled. Compliant True
DTBC-0067 Collection of WebRTC event logs must be disabled. Compliant True
diff --git a/Samples/Outdated/Microsoft Windows 10 BSI Dark.html b/Samples/Outdated/Microsoft Windows 10 BSI Dark.html new file mode 100644 index 0000000..ccf2ae0 --- /dev/null +++ b/Samples/Outdated/Microsoft Windows 10 BSI Dark.html @@ -0,0 +1,28 @@ +Windows 10 BSI Report [01/17/2022 14:14:21]

Windows 10 BSI Report

Generated by the ATAPAuditor Module Version 4.14 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 01/17/2022 14:14:21 on DESKTOP-UTMU75K.fb-pro.com with TAPHtmlReport version 1.8.

HostnameDESKTOP-UTMU75K.fb-pro.com
Build Number19043
Free disk space(GB) 100.5
Free physical memory (GB)5.398
Operating SystemMicrosoft Windows 10 Pro
Installation LanguageEnglish (United States)

Summary

A total of 1250 tests have been executed.

  1. True 994 test(s) ≙ 79.52%
  2. False 256 test(s) ≙ 20.48%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 51 test(s) ≙ 100.00%
  2. False 0 test(s) ≙ 0.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 379 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 313 test(s) ≙ 82.59%
  2. False 66 test(s) ≙ 17.41%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 287 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 240 test(s) ≙ 83.62%
  2. False 47 test(s) ≙ 16.38%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 258 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 212 test(s) ≙ 82.17%
  2. False 46 test(s) ≙ 17.83%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiM-08202 - BPOL

A total of 275 tests have been executed in section BSI Benchmarks SiM-08202 - BPOL.

  1. True 178 test(s) ≙ 64.73%
  2. False 97 test(s) ≙ 35.27%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'CompliantTrue
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'CompliantTrue
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. Registry value is ''. Expected: False
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. + +CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'.The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. + +The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. +The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. + +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or +more minute(s)'. CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

BSI Benchmarks SiM-08202 - BPOL-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.Registry value is '1'. Expected: 0False
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
82020121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry value is '1'. Expected: 0False
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.CompliantTrue
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.Registry value not found.False
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.Registry value is '1'. Expected: 0False
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.Registry value is '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. Expected: %windir%\system32\logfiles\firewall\domainfirewall.logFalse
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.CompliantTrue
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.CompliantTrue
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.CompliantTrue
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.CompliantTrue
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
82020342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.Registry value is '14'. Expected: x >= 15False
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '20'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.Registry value is '0'. Expected: 1False
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
0047 Ensure ’Adjust memory quotas for a process’ set to ’Administrators, LOCAL SERVICE, NETWORK SERVICE’The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'CompliantTrue
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SIDFalse
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'The user right 'SeDenyNetworkLogonRight' contains following unexpected users: LOCAL +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SIDFalse
0182 Ensure 'Log on as a batch job' is set to 'Administrator'The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines +The user 'SeServiceLogonRight' setting does not contain the following users: NULL SIDFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 60. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue
diff --git a/Samples/Outdated/Microsoft Windows 10 BSI.html b/Samples/Outdated/Microsoft Windows 10 BSI.html new file mode 100644 index 0000000..5091be6 --- /dev/null +++ b/Samples/Outdated/Microsoft Windows 10 BSI.html @@ -0,0 +1,28 @@ +Windows 10 BSI Report [01/17/2022 14:01:24]

Windows 10 BSI Report

Generated by the ATAPAuditor Module Version 4.14 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 01/17/2022 14:01:24 on DESKTOP-UTMU75K.fb-pro.com with TAPHtmlReport version 1.8.

HostnameDESKTOP-UTMU75K.fb-pro.com
Build Number19043
Free disk space(GB) 100.1
Free physical memory (GB)4.972
Operating SystemMicrosoft Windows 10 Pro
Installation LanguageEnglish (United States)

Summary

A total of 1250 tests have been executed.

  1. True 994 test(s) ≙ 79.52%
  2. False 256 test(s) ≙ 20.48%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SiSyPHuS Logging.

  1. True 51 test(s) ≙ 100.00%
  2. False 0 test(s) ≙ 0.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS HD

A total of 379 tests have been executed in section BSI Benchmarks SiSyPHuS HD.

  1. True 313 test(s) ≙ 82.59%
  2. False 66 test(s) ≙ 17.41%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS ND

A total of 287 tests have been executed in section BSI Benchmarks SiSyPHuS ND.

  1. True 240 test(s) ≙ 83.62%
  2. False 47 test(s) ≙ 16.38%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiSyPHuS NE

A total of 258 tests have been executed in section BSI Benchmarks SiSyPHuS NE.

  1. True 212 test(s) ≙ 82.17%
  2. False 46 test(s) ≙ 17.83%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SiM-08202 - BPOL

A total of 275 tests have been executed in section BSI Benchmarks SiM-08202 - BPOL.

  1. True 178 test(s) ≙ 64.73%
  2. False 97 test(s) ≙ 35.27%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

BSI Benchmarks SiSyPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
4.1.1Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'CompliantTrue
4.1.2Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'CompliantTrue
4.2.1.1Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'CompliantTrue
4.2.1.2Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.1.3Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.1.4Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.2.1Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'CompliantTrue
4.2.2.2Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.2.2.3Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'CompliantTrue
4.2.2.4Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'CompliantTrue
4.2.3.1Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'CompliantTrue
4.2.3.2Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'CompliantTrue
4.2.3.3Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'CompliantTrue
4.2.3.4Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'CompliantTrue
4.3.1.1Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'CompliantTrue
4.3.2.1.1Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.1.2Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.2.1Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.2.2Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.3.1Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'CompliantTrue
4.3.2.3.2Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.2.4.1Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'CompliantTrue
4.3.2.4.2Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
4.3.3.1Ensure 'Include command line in process creation events' is set to 'Disabled'CompliantTrue
4.3.4.2Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'CompliantTrue
4.3.4.3Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
5.1.1.1Ensure 'Audit Credential Validation' is set to 'Success and Failure'CompliantTrue
5.1.1.2Ensure 'Audit User Account Management' is set to 'Success and Failure'CompliantTrue
5.1.1.3Ensure 'Audit Account Lockout' is set to include 'Failure'CompliantTrue
5.1.1.4Ensure 'Audit Group Membership' is set to include 'Success'CompliantTrue
5.1.1.5Ensure 'Audit Logoff' is set to include 'Success'CompliantTrue
5.1.1.6Ensure 'Audit Logon' is set to 'Success and Failure'CompliantTrue
5.1.1.7Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'CompliantTrue
5.1.1.8Ensure 'Audit Special Logon' is set to include 'Success'CompliantTrue
5.2.1.1Ensure 'Audit Other System Events' is set to 'Success and Failure'CompliantTrue
5.2.1.2Ensure 'Audit Security State Change' is set to include 'Success'CompliantTrue
5.2.1.3Ensure 'Audit Security System Extension' is set to include 'Success'CompliantTrue
5.2.1.4Ensure 'Audit System Integrity' is set to 'Success and Failure'CompliantTrue
5.2.1.5Ensure 'Audit File Share' is set to 'Success and Failure'CompliantTrue
5.2.1.6Ensure 'Audit Detailed File Share' is set to include 'Failure'CompliantTrue
5.2.1.7Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'CompliantTrue
5.2.1.8Ensure 'Audit Removable Storage' is set to 'Success and Failure'CompliantTrue
5.2.1.9Ensure 'Audit PNP Activity' is set to include 'Success'CompliantTrue
5.3.1.1Ensure 'Audit Security Group Management' is set to include 'Success'CompliantTrue
5.3.1.2Ensure 'Audit Audit Policy Change' is set to include 'Success'CompliantTrue
5.3.1.3Ensure 'Audit Authentication Policy Change' is set to include 'Success'CompliantTrue
5.3.1.4Ensure 'Audit Authorization Policy Change' is set to include 'Success'CompliantTrue
5.3.1.5Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'CompliantTrue
5.3.1.6Ensure 'Audit Other Policy Change Events' is set to include 'Failure'CompliantTrue
5.5.1.1Ensure 'Audit Process Creation' is set to include 'Success'CompliantTrue
5.5.1.2Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'CompliantTrue

BSI Benchmarks SiSyPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
11(HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
13(HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
15(HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'CompliantTrue
18(HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'.CompliantTrue
19(HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
23(HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
28(HD) Ensure 'Enable Font Providers' is set to 'Disabled'. CompliantTrue
29(HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'.CompliantTrue
30(HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. CompliantTrue
31(HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
32(HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
36(HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
38(HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'.Registry key not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
47(HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'.CompliantTrue
48(HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'.CompliantTrue
49(HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
58(HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
66(HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'.CompliantTrue
67(HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
69(HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'.CompliantTrue
70(HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'.Registry key not found.False
71(HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'.CompliantTrue
72(HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. CompliantTrue
73(HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
75(HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. CompliantTrue
76(HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
77(HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
78(HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. CompliantTrue
79(HD) Ensure 'Turn off access to the Store' is set to 'Enabled'.CompliantTrue
80(HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
82(HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' .CompliantTrue
83(HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
91(HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found.False
92(HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'.Registry key not found.False
93(HD) Ensure 'Allow Online Tips' is set to 'Disabled'.CompliantTrue
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
104(HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. CompliantTrue
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
108(HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
110(HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found.False
111(HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'.Registry value not found.False
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
122(HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. CompliantTrue
123(HD) Ensure 'Allow Use of Camera' is set to 'Disabled'.Registry value is '1'. Expected: 0False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
125(HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
128(HD) Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
129(HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'.CompliantTrue
130(HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'.CompliantTrue
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
132(HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'.CompliantTrue
133(HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
140(HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. CompliantTrue
141(HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'.CompliantTrue
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
144(HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
150(HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. CompliantTrue
151(HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'.Registry value not found.False
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
154(HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'.CompliantTrue
155(HD) Ensure 'Turn off the Store application' is set to 'Enabled'.CompliantTrue
156(HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
166(HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
176(HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
179(HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
182(HD) Ensure 'Prevent Codec Download' is set to 'Enabled'.Registry key not found.False
184(HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
190(HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'.Registry value is '1'. Expected: 0False
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
195(HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'.Registry value not found.False
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
225(HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
228(HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
250(HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'.Registry value not found.False
251(HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'.Registry value not found.False
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
273(HD) Ensure 'System settings: Optional subsystems' is set to 'None'. Registry value is ''. Expected: False
274(HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'.CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
316(HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
318(HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
319(HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
322(HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
325(HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
327(HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
329(HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.CompliantTrue
330(HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'.Registry value is '3'. Expected: 4False
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
332(HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'.CompliantTrue
333(HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'.CompliantTrue
334(HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'.CompliantTrue
335(HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. CompliantTrue
336(HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'.CompliantTrue
337(HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
340(HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
342(HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
344(HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
346(HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'.CompliantTrue
347(HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'.CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
350(HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
352(HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. CompliantTrue
353(HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'.CompliantTrue
354(HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. CompliantTrue
355(HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'.Registry value is '2'. Expected: 4False
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. + +CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
281(HD) Configure 'Log on as a service'.The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual MachinesFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
283(HD) Ensure 'Log on as a batch job' is set to 'Administrators'.The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. + +The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. +The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. + +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 or +more minute(s)'. CompliantTrue

BSI Benchmarks SiSyPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
25(ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'.CompliantTrue
26(ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. CompliantTrue
27(ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
42(ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.CompliantTrue
43(ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
45(ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
51(ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
62(ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'.CompliantTrue
63(ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. CompliantTrue
64(ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'.CompliantTrue
65(ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'.Registry key not found.False
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
105(ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
219(ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'.CompliantTrue
220(ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'.CompliantTrue
221(ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. CompliantTrue
222(ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. CompliantTrue
223(ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. CompliantTrue
224(ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'.CompliantTrue
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
232(ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. CompliantTrue
233(ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
248(ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher.CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
361(ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'.CompliantTrue
362(ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'.CompliantTrue
363(ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'.CompliantTrue
364(ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
293(ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue
206(ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'.CompliantTrue
207(ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'.CompliantTrue
208(ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. CompliantTrue

BSI Benchmarks SiSyPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
1(ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. CompliantTrue
2(ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver.CompliantTrue
3(ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'.CompliantTrue
4(ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.CompliantTrue
5(ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'.CompliantTrue
6(ND, NE) Ensure 'LSA Protection' is set to 'Enabled'.Registry value not found.False
7(ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'.Registry value not found.False
8(ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'.CompliantTrue
9(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
10(ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'.CompliantTrue
12(ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'.CompliantTrue
14(ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'.CompliantTrue
16(ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'.CompliantTrue
17(ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'.CompliantTrue
20(ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'.CompliantTrue
21(ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'.CompliantTrue
22(ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'.CompliantTrue
24_1(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
24_2(ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL".CompliantTrue
33(ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'.Registry value not found.False
34(ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' CompliantTrue
35(ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
37(ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found.False
39(ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. CompliantTrue
40(ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. CompliantTrue
41(ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'.CompliantTrue
44(ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'.CompliantTrue
46(ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'.CompliantTrue
50(ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'.CompliantTrue
52(ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' .CompliantTrue
53(ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.CompliantTrue
54(ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'.CompliantTrue
55(ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.CompliantTrue
56(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'.CompliantTrue
57(ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'.CompliantTrue
59(ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured.Registry value not found.False
60(ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured.CompliantTrue
61(ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'.CompliantTrue
68(ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'.CompliantTrue
74(ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'.CompliantTrue
81(ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'.CompliantTrue
84(ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' .CompliantTrue
85(ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. CompliantTrue
86(ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
87(ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
88(ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'.Registry key not found.False
89(ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'.Registry value not found.False
90(ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'.Registry value not found.False
94(ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'.CompliantTrue
95(ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'.CompliantTrue
96(ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'.Registry key not found.False
97(ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'.Registry key not found.False
98(ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'.Registry key not found.False
99(ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'.Registry key not found.False
100_1(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
100_2(ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled'.Registry value not found.False
101(ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'.CompliantTrue
102(ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found.False
103(ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'.Registry key not found.False
106(ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.CompliantTrue
107(ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'.CompliantTrue
109(ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.CompliantTrue
112(ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
113(ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
114(ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'.Registry value not found.False
115(ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.CompliantTrue
116(ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.CompliantTrue
117(ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.CompliantTrue
118(ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
119(ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'.CompliantTrue
120(ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'.CompliantTrue
121(ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'.Registry value not found.False
124(ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.CompliantTrue
126(ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'.Registry key not found.False
127(ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
131(ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'.CompliantTrue
134(ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
135(ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. CompliantTrue
136(ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'.CompliantTrue
137(ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'.CompliantTrue
138(ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. CompliantTrue
139(ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'.Registry key not found.False
142(ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'.Registry value not found.False
143(ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. CompliantTrue
145(ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
146(ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'.CompliantTrue
147(ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'.CompliantTrue
148(ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. CompliantTrue
149(ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.CompliantTrue
152(ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. CompliantTrue
153(ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'.CompliantTrue
157(ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'.CompliantTrue
158(ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
159(ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found.False
160(ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' .Registry value is '1'. Expected: 99False
161(ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. CompliantTrue
162(ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'.CompliantTrue
163(ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'.CompliantTrue
164(ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'.CompliantTrue
165(ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'.CompliantTrue
167(ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.CompliantTrue
168(ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'.CompliantTrue
169(ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'.CompliantTrue
170(ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'.CompliantTrue
171(ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'.CompliantTrue
172_1(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_2(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_3(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_4(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_5(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_6(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_7(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_8(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_9(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_10(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
172_11(ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'.CompliantTrue
173(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. CompliantTrue
174(ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'.CompliantTrue
175(ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'.CompliantTrue
177(ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'.CompliantTrue
178(ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'.CompliantTrue
180(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.CompliantTrue
181(ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled'.Registry key not found.False
183(ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'.Registry key not found.False
185(ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. CompliantTrue
186(ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. CompliantTrue
187(ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'.CompliantTrue
188(ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'.CompliantTrue
189(ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. CompliantTrue
191(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
192(ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. CompliantTrue
193(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
194(ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'.CompliantTrue
196(ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.CompliantTrue
197(ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. CompliantTrue
198(ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'.CompliantTrue
199(ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
209(ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'.CompliantTrue
210(ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.CompliantTrue
211(ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. CompliantTrue
212(ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. CompliantTrue
213(ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'.CompliantTrue
214(ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'.CompliantTrue
215(ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. CompliantTrue
216(ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'.CompliantTrue
217(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.CompliantTrue
218(ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'.Registry value is '3'. Expected: 1False
226(ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'.CompliantTrue
227(ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'.CompliantTrue
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. CompliantTrue
230(ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'.CompliantTrue
231(ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'.CompliantTrue
234(ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'.CompliantTrue
239(ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. CompliantTrue
240(ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'.CompliantTrue
241(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
242(ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'.CompliantTrue
243(ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'.CompliantTrue
244(ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'.CompliantTrue
245(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'.Registry value is '0'. Expected: 1False
246(ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1False
247(ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. CompliantTrue
252(ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.CompliantTrue
253(ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'.CompliantTrue
254(ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'.CompliantTrue
255(ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'.CompliantTrue
256(ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. CompliantTrue
257(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. CompliantTrue
258(ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'.CompliantTrue
259(ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher.CompliantTrue
260(ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'.CompliantTrue
261(ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'.CompliantTrue
262(ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'.CompliantTrue
263(ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.Registry value not found.False
264(ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'.CompliantTrue
265(ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'.CompliantTrue
266(ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. CompliantTrue
267(ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'.CompliantTrue
268(ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. CompliantTrue
269(ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. CompliantTrue
270(ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'.CompliantTrue
271(ND, NE) Configure 'Network access: Remotely accessible registry paths'.CompliantTrue
272(ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. CompliantTrue
275(ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. CompliantTrue
276(ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'.CompliantTrue
317(ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'.Registry value not found.False
320(ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
321(NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'.CompliantTrue
323(ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
324(NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'.CompliantTrue
326(ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
328(ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
331(ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
338(ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'.CompliantTrue
339(ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'.CompliantTrue
341(ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
343(ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'.CompliantTrue
345(ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. CompliantTrue
348(ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
349(ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'.CompliantTrue
351(HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. CompliantTrue
356(ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'.CompliantTrue
357(ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'.CompliantTrue
358(ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'.CompliantTrue
359(ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'.CompliantTrue
360(ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'.CompliantTrue
365(ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' .CompliantTrue
366(ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'.CompliantTrue
367(ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'.CompliantTrue
368(ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'.CompliantTrue
369(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'.CompliantTrue
370(ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'.CompliantTrue
371(ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'.CompliantTrue
372(ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'.CompliantTrue
373(ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'.CompliantTrue
374(ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
277(ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'.CompliantTrue
278(ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'.CompliantTrue
279(ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'.CompliantTrue
280(ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
282(ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
284(ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'.The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account +The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, LOCALFalse
285(ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. CompliantTrue
286(ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. CompliantTrue
287(ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
288(ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'.CompliantTrue
289(ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
290(ND, NE) Ensure 'Debug programs' is set to 'Administrators'.CompliantTrue
291(ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'.CompliantTrue
292(ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'.CompliantTrue
294(ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'.The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
295(ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'.CompliantTrue
296(ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. CompliantTrue
297(ND, NE) Ensure 'Profile single process' is set to 'Administrators'.CompliantTrue
298(ND, NE) Ensure 'Create a token object' is set to 'No One'.CompliantTrue
299(ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'.CompliantTrue
300(ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'.The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
301(ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. CompliantTrue
302(ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'.CompliantTrue
303(ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'.CompliantTrue
304(ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'.The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
305(ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'.CompliantTrue
306(ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'.The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse
307(ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
308(ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'.The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
309(ND, NE) Ensure 'Lock pages in memory' is set to 'No One'.CompliantTrue
310(ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' .CompliantTrue
311(ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. CompliantTrue
312(ND, NE) Ensure 'Modify an object label' is set to 'No One'.CompliantTrue
313(ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'.CompliantTrue
314(ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
315(ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGONFalse

Account Policies-

IdTaskMessageStatus
200(ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'.CompliantTrue
201(ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'.CompliantTrue
202(ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'.CompliantTrue
203(ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.CompliantTrue
204(ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'.CompliantTrue
205(ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' .CompliantTrue

BSI Benchmarks SiM-08202 - BPOL-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

IdTaskMessageStatus
0003 Ensure 'Configure Automatic Updates' is set to 4Registry value not found.False
0004 Ensure 'Configure Automatic Updates' is set to 'Every Day'CompliantTrue
0005 Ensure 'Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'CompliantTrue
0006 Ensure 'Specify the maximum log file size (KB)' is set to 'Enabled: 32768'CompliantTrue
0032Ensure 'Setup: Specify the maximum log file size (KB)' is set to 32768.Registry key not found.False
0037Ensure 'Allow enhanced PINs for startup' is set 'Enabled'.CompliantTrue
0038Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.CompliantTrue
0039Ensure 'Allow Secure Boot for integrity validation' is set 'Enabled'.Registry value not found.False
0040Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set 'Disabled'.CompliantTrue
0041Ensure 'Allow user control over installs' is set 'Disabled'.CompliantTrue
0043Ensure 'Enable Windows NTP Client' is set to 'Enabled'CompliantTrue
0065Ensure 'Enumerate administrator accounts on elevation' is set 'Disabled'.Registry value not found.False
0101 Ensure 'Restrict Unauthenticated RPC clients' is set 'Enabled'CompliantTrue
0109Ensure 'Allow Telemetry' is set to 0.Registry value is '1'. Expected: 0False
0110Ensure 'Do not show feedback notifications' is set to 1.CompliantTrue
0111Ensure 'Turn on MSDT interactive communication with support provider' is set to 'Disabled'.CompliantTrue
0112Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.CompliantTrue
0113Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.CompliantTrue
0114Ensure 'Turn off location' is set to 'Enabled'.CompliantTrue
0115Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.CompliantTrue
0116Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'.CompliantTrue
0117Ensure 'Turn off the Windows Customer Experience program' is set to 'Enabled'.Registry value is '0'. Expected: 1False
0118Ensure 'Turn off the Windows Error Reporting' is set to 'Enabled'.CompliantTrue
0119Ensure 'Windows Game Recording and Broadcasting' is set to 'Disabled'.CompliantTrue
82020121Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.CompliantTrue
0122Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'.Registry key not found.False
0123Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'.CompliantTrue
0131Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'.CompliantTrue
0132Ensure 'Allow indexing of encrypted files' is set to 'Disabled'.CompliantTrue
0133Ensure 'Allow InPrivate browsing' is set to 'Disabled'.CompliantTrue
0135Ensure 'Allow Standby States (S1-S3) When Sleeping (On Battery)' is set to 'Disabled'.CompliantTrue
0136Ensure 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' is set to 'Disabled'.CompliantTrue
0137Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'.CompliantTrue
0138Ensure 'Always install with elevated privileges ' is set to 'Disabled'.CompliantTrue
0139Ensure 'Always prompt for password upon connection' is set to 'Enabled'.CompliantTrue
0140Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled'.Registry value is '3'. Expected: 1False
0141Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'.CompliantTrue
0142Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'.CompliantTrue
0143Ensure 'Configure Password Manager' is set to 'Disabled'.Registry value not found.False
0144Ensure 'Configure Pop-up Blocker' is set to 'Enabled'.CompliantTrue
0145Ensure 'Configure registry policy processing' is set to 'Do not apply during periodic background processing (False)'.CompliantTrue
0146Ensure 'Configure registry policy processing' is set to 'Process even if the Group Policy objects have not changed (False)'.Registry value is '0'. Expected: 1False
0147Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'.CompliantTrue
0148Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry value is '1'. Expected: 0False
0149Ensure 'Disallow copying of user input methods to the system account for sign-in ' is set to 'Enabled'.CompliantTrue
0150Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'.CompliantTrue
0151Ensure 'Do not allow passwords to be saved' is set to 'Enabled'.CompliantTrue
0152Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'.CompliantTrue
0153Ensure 'Do not delete temp folders upon exit' set to 'Disabled'.Registry value is '1'. Expected: 0False
0154Ensure 'Do not display network selection UI' set to 'Enabled'.CompliantTrue
0155Ensure 'Do not enumerate connected users on domain-joined computers' set to 'Enabled'.CompliantTrue
0156Ensure 'Enable insecure guest logons' set to 'Disabled'.CompliantTrue
0157Ensure 'Enable local admin password management' set to 'Enabled'.CompliantTrue
0158Ensure 'Enable RPC Endpoint Mapper Client Authentication' set to 'Enabled'.CompliantTrue
0159Ensure 'Enable screen saver' set to 'Enabled'.Registry key not found.False
0160Ensure 'Enable Windows NTP Server' set to 'Disabled'.CompliantTrue
0161Ensure 'Enable/Disable PerfTrack' set to 'Disabled'.CompliantTrue
0163Ensure 'Enumerate local users on domain-joined computers' set to 'Disabled'.CompliantTrue
0164Ensure 'Include command line in process creation events' set to 'Disabled'.Registry key not found.False
0165Ensure 'Let Windows apps access account information' set to 'Enabled:Force Deny'.Registry value not found.False
0166Ensure 'Let Windows apps access call history' set to 'Enabled:Force Deny'.Registry value not found.False
0167Ensure 'Let Windows apps access contacts' set to 'Enabled:Force Deny'.Registry value not found.False
0168Ensure 'Let Windows apps access email' set to 'Enabled:Force Deny'.Registry value not found.False
0169Ensure 'Let Windows apps access location' set to 'Enabled:Force Deny'.Registry value not found.False
0170Ensure 'Let Windows apps access messaging' set to 'Enabled:Force Deny'.Registry value not found.False
0171Ensure 'Let Windows apps access motion' set to 'Enabled:Force Deny'.Registry value not found.False
0172Ensure 'Let Windows apps access notifications' set to 'Enabled:Force Deny'.Registry value not found.False
0173Ensure 'Let Windows apps access the calendar' set to 'Enabled:Force Deny'.Registry value not found.False
0174Ensure 'Let Windows apps access the camera' set to 'Enabled:Force Deny'.Registry value not found.False
0175Ensure 'Let Windows apps access the microphone' set to 'Enabled:Force Deny'.Registry value not found.False
0176Ensure 'Let Windows apps access trusted devices' set to 'Enabled:Force Deny'.Registry value not found.False
0177Ensure 'Let Windows apps control radios' set to 'Enabled:Force Deny'.Registry value not found.False
0178Ensure 'Let Windows apps make phone calls' set to 'Enabled:Force Deny'.Registry value not found.False
0179Ensure 'Let Windows apps sync with devices' set to 'Enabled:Force Deny'.Registry value not found.False
0185Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' set to 'Enabled'.Registry value not found.False
0209Ensure 'Prevent downloading of enclosures' set to 'Enabled'.CompliantTrue
0210Ensure 'Prevent enabling lock screen camera' set to 'Enabled'.CompliantTrue
0211Ensure 'Prevent enabling lock screen slide show' set to 'Enabled'.CompliantTrue
0212Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Enabled'.Registry value not found.False
0213Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Enabled'.CompliantTrue
0214Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' set to 'Disabled'.CompliantTrue
0215Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'.CompliantTrue
0216Ensure 'Prohibit access of the Windows Connect Now wizards' set to 'Enalbed'.CompliantTrue
0217Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' set to 'Enalbed'.CompliantTrue
0218Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' set to 'Enalbed'.Registry value is '0'. Expected: 1False
0220Ensure 'Require a password when a computer wakes (on battery)' set to 'Enalbed'.CompliantTrue
0221Ensure 'Require a password when a computer wakes (plugged in)' set to 'Enalbed'.CompliantTrue
0222Ensure 'Require additional authentication at startup' set to 'Enalbed'.CompliantTrue
0223Ensure 'Require domain users to elevate when setting a network's location' set to 'Enalbed'.CompliantTrue
0224Ensure 'Set the default behavior for AutoRun' set to 'Enalbed: Do not execute any autorun commands'.CompliantTrue
0225Ensure 'Sign-in last interactive user automatically after a system-initiated restart' set to 'Disabled'.CompliantTrue
0229Ensure 'Turn off background refresh of Group Policy' set to 'Disabled'.CompliantTrue
0230Ensure 'Turn off Data Execution Prevention for Explorer' set to 'Disabled'.CompliantTrue
0231Ensure 'Turn off downloading of print drivers over HTTP' set to 'Enabled'.CompliantTrue
0232Ensure 'Turn off handwriting personalization data sharing' set to 'Enabled'.CompliantTrue
0233Ensure 'Turn off handwriting recognition error reporting' set to 'Enabled'.CompliantTrue
0234Ensure 'Turn off heap termination on corruption' set to 'Disabled'.CompliantTrue
0235Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0236Ensure 'Turn off Internet download for Web publishing and online ordering wizards' set to 'Enabled'.CompliantTrue
0237Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' set to 'Enabled'.CompliantTrue
0238Ensure 'Turn off picture password sign-in' set to 'Enabled'.CompliantTrue
0239Ensure 'Turn off printing over HTTP' set to 'Enabled'.CompliantTrue
0240Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' set to 'Enabled'.CompliantTrue
0241Ensure 'Turn off Search Companion content file updates' set to 'Enabled'.CompliantTrue
0242Ensure 'Turn off shell protocol protected mode' set to 'Disabled'.CompliantTrue
0243Ensure 'Turn off the 'Order Prints' picture task' set to 'Enabled'.CompliantTrue
0244Ensure 'Turn off the 'Publish to Web' task for files and folders' set to 'Enabled'.CompliantTrue
0245Ensure 'Turn on convenience PIN sign-in' set to 'Disabled'.CompliantTrue
0246Ensure 'Turn on Mapper I/O (LLTDIO) driver' set to 'Disabled'.CompliantTrue
0247Ensure 'Turn on Responder (RSPNDR) driver' set to 'Disabled'.CompliantTrue
0248Ensure 'Turn On Virtualization Based Security' set to 'Enabled: Block untrusted fonts and log events'.CompliantTrue
0249Ensure 'Untrusted Font Blocking' set to 'Enabled'.Registry key not found.False
0250Ensure 'Configure enhanced anti-spoofing' set to 'Enabled'.CompliantTrue
0251Ensure 'WDigest Authentication' set to 'Enabled'.Registry value is '0'. Expected: 1False
0253Ensure 'Windows Firewall: Domain: Apply local firewall rules' set to 'Disabled'.Registry value not found.False
0254Ensure 'Windows Firewall: Domain: Display a notification' set to 'Disabled'.Registry value is '1'. Expected: 0False
0279Ensure 'Windows Firewall: Domain: Logging: Name' set to '%windir%\system32\logfiles\firewall\domainfirewall.log'.Registry value is '%SystemRoot%\System32\logfiles\firewall\domainfw.log'. Expected: %windir%\system32\logfiles\firewall\domainfirewall.logFalse
0280Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' set to '16,384'.CompliantTrue
0281Ensure 'Windows Firewall: Public: Outbound connections' set to 'Allow'.Registry value is '0'. Expected: 1False
0282Ensure 'Block launching Windows Store apps with Windows RuntimeAPIaccessfromhostedcontent' set to 'Enabled'.CompliantTrue
0283Ensure 'Turn off KMS Client Online AVS Validation' set to 'Enabled'.CompliantTrue
0284Ensure 'Do not display the password reveal button' set to 'Enabled'.CompliantTrue
0285Ensure 'Join Microsoft MAPS' set to 'Disabled'.Registry value not found.False
0286Ensure 'Configure search suggestions in Address bar' set to 'Disabled'.CompliantTrue
0287Ensure 'Configure Windows SmartScreen' set to 'Enabled: Require approval from an administrator before running downloaded unknown software'.Registry value is '1'. Expected: 2False
0288Ensure 'Don't allow SmartScreen Filter warning overrides for unverified files' set to 'Enabled'.CompliantTrue
0289Ensure 'Don't allow SmartScreen Filter warning overrides' set to 'Enabled'.CompliantTrue
0290Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.Registry value not found.False
0291Ensure 'Prevent managing SmartScreen Filter' set to 'Enabled: On'.CompliantTrue
0292Ensure 'Turn on SmartScreen Filter scan' set to 'Enabled'.CompliantTrue
0293Ensure 'Allow Cortana' set to 'Disabled'.CompliantTrue
0294Ensure 'Allow search and Cortana to use location' set to 'Disabled'.CompliantTrue
0295Ensure 'Disable all apps from Microsoft Store' set to 'Enabled'.Registry value not found.False
0296Ensure 'Disable pre-release features or settings' set to 'Disabled'.Registry value not found.False
0297Ensure 'Turn off access to the Store' set to 'Enabled'.CompliantTrue
0298Ensure 'Turn off Automatic Download and Install of updates' set to 'Enabled'.Registry value is '4'. Expected: 2False
0299Ensure 'Turn off the offer to update to the latest version of Windows' set to 'Enabled'.CompliantTrue
0300Ensure 'Turn off the Store application' set to 'Enabled'.CompliantTrue
0301Ensure 'Allow Basic authentication' set to 'Disabled'.CompliantTrue
0302Ensure 'Allow unencrypted traffic' set to 'Disabled'.CompliantTrue
0304Ensure 'Allow Remote Shell Access' set to 'Disabled'.Registry value is '1'. Expected: 0False
0306Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'.CompliantTrue
0307Ensure 'Disallow Digest authentication' set to 'Enabled'.CompliantTrue
0308Ensure 'Disallow WinRM from storing RunAs credentials' set to 'Enabled'.CompliantTrue
0309Ensure 'Do not allow COM port redirection' set to 'Enabled'.CompliantTrue
0310Ensure 'Do not allow drive redirection' set to 'Enabled'.CompliantTrue
0311Ensure 'Do not allow LPT port redirection' set to 'Enabled'.CompliantTrue
0312Ensure 'Do not use temporary folders per session' set to 'Disabled'.Registry value not found.False
0313Ensure 'Apply UAC restrictions to local accounts on network logons' set to 'Enabled'.CompliantTrue
0323Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0324Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' set to 'Disabled'.Registry value is ''. Expected: False
0325Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' set to 'XTS-AES 256-bit'.Registry value not found.False
0328Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Enabled'.CompliantTrue
0329Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Enabled'.CompliantTrue
0330Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Enabled'.Registry value not found.False
0331Ensure 'Configure minimum PIN length for startup' set to 'Enabled' and 'minimum characters' set to 10.Registry value not found.False
0332Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Enabled'.CompliantTrue
0333Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Enabled'.CompliantTrue
0334Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Enabled'.CompliantTrue
0335Ensure 'Configure use of passwords for fixed data drives' set to 'Disabled'.CompliantTrue
0336Ensure 'Configure use of passwords for operating system drives' set to 'Disabled'.CompliantTrue
0337Ensure 'Configure use of passwords for removable data drives' set to 'Disabled'.Registry value not found.False
0338Ensure 'Configure use of smart cards on fixed data drives' set to 'Enabled'.CompliantTrue
0339Ensure 'Configure use of smart cards on removable data drives' set to 'Enabled'.CompliantTrue
0340Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Enabled'.CompliantTrue
82020342Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Save BitLocker recovery information to AD DS for fixed data drives'.CompliantTrue
0343Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Save BitLocker recovery information to AD DS for operating system drives'.CompliantTrue
0344Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Save BitLocker recovery information to AD DS for removable data drives'.CompliantTrue
0345Ensure 'Require additional authentication at startup' set to 'Do not allow startup key and PIN with TPM'.Registry value not found.False
0346Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0347Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0348Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Allow data recovery agent'.CompliantTrue
0349Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0350Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0351Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Use BitLocker software-based encryption when hardware encryption is not available'.CompliantTrue
0352Ensure 'Configure use of smart cards on fixed data drives' set to 'Require use of smart cards on fixed data drives'.CompliantTrue
0353Ensure 'Configure use of smart cards on removable data drives' set to 'Require use of smart cards on removable data drives'.CompliantTrue
0354Ensure 'Deny write access to removable drives not protected by BitLocker' set to 'Do not allow write access to devices configured in another organization'.Registry value is '0'. Expected: 1False
0355Ensure 'Password Settings' set to 'Large letters + small letters + numbers + specials'.CompliantTrue
0358Ensure 'Require additional authentication at startup' set to 'Allow BitLocker without a compatible TPM'.CompliantTrue
0359Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard'.CompliantTrue
0360Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (Test)'.CompliantTrue
0361Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Omit recovery options from the BitLocker setup wizard (True)'.CompliantTrue
0362Ensure 'Require additional authentication at startup' set to 'Do not allow startup key with TPM'.Registry value not found.False
0363Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Allow 48-digit recovery password'.CompliantTrue
0364Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Require 48-digit recovery password '.Registry value is '2'. Expected: 1False
0365Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 48-digit recovery password'.Registry value not found.False
0366Ensure 'Configure use of hardware-based encryption for fixed data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption'.CompliantTrue
0367Ensure 'Configure use of hardware-based encryption for operating system drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0368Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Restrict encryption algorithms and cipher suites allowed for hardware-based encryption (False)'.CompliantTrue
0369Ensure 'Configure use of hardware-based encryption for removable data drives' set to 'Password Length' and set to greater or equal 15.Registry value is '14'. Expected: x >= 15False
0370Ensure 'Prevent installation of devices that match any of these device IDs' set to 'Also apply to matching devices that are already installed. (True) '.Registry value not found.False
0371Ensure 'Prevent installation of devices using drivers that match these device setup classes' set to 'Also apply to matching devices that are already installed. (True) '.CompliantTrue
0372Ensure 'Require additional authentication at startup' set to 'Do not allow TPM'.Registry value not found.False
0373Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (False)'.CompliantTrue
0374Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (Enabled)'.CompliantTrue
0375Ensure 'Choose how BitLocker-protected fixed drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0376Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Store recovery passwords and key packages'.CompliantTrue
0377Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Backup recovery passwords and key packages'.CompliantTrue
0378Ensure 'Choose how BitLocker-protected operating system drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0380Ensure 'Choose how BitLocker-protected removable drives can be recovered' set to 'Do not allow 256-bit recovery key'.CompliantTrue
0384Ensure 'Password Age' set to less or equal 42.Registry value is '20'. Expected: 42False
0385Ensure 'Require additional authentication at startup' set to 'Require startup PIN with TPM'.Registry value not found.False
0386Ensure 'Turn on PowerShell Transcription' set to 'Disabled'.CompliantTrue
0387Ensure 'Turn on PowerShell Script Block Logging' set to 'Enabled'.Registry value is '0'. Expected: 1False
0388Ensure 'Require secure RPC communication' set to 'Enabled'.CompliantTrue
0389Ensure 'Set client connection encryption level' set to 'Enabled: High Level'.CompliantTrue
0390Ensure 'Set time limit for active but idle Remote Desktop Services sessions' set to 'Enabled: 5 minutes'.Registry value is '900000'. Expected: 300000False
0391Ensure 'Set time limit for disconnected sessions' set to 'Enabled: 1 minute'.CompliantTrue

User Rights Assignment-

IdTaskMessageStatus
0044 Ensure 'SeTrustedCredManAccessPrivilege' is set to 'Enabled'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
0045 Ensure 'SeNetworkLogonRight' is set to 'Administrator, Users'The user right 'SeNetworkLogonRight' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0046 Ensure 'SeTcbPrivilege' is set to 'None'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
0047 Ensure ’Adjust memory quotas for a process’ set to ’Administrators, LOCAL SERVICE, NETWORK SERVICE’The user right 'SeIncreaseQuotaPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0048 Ensure 'Allow log on locally' set to 'Administrators, Users'The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-UTMU75K\OldGuest, BUILTIN\Backup OperatorsFalse
0049 Ensure 'SeBackupPrivilege' is set to 'Administrator'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0050 Ensure 'SeSystemtimePrivilege' is set to 'Administrator, LOCAL SERVICE'CompliantTrue
0051 Ensure 'SeTimeZonePrivilege' is set to 'Administrator, LOCAL SERVICE'The user right 'SeTimeZonePrivilege' contains following unexpected users: BUILTIN\UsersFalse
0052 Ensure 'SeCreatePagefilePrivilege' is set to 'Administrator, LOCAL SERVICE'The user 'SeCreatePagefilePrivilege' setting does not contain the following users: NT AUTHORITY\LOCAL SERVICEFalse
0053 Ensure 'SeCreateTokenPrivilege' is set to 'None'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
0054 Ensure 'SeCreateGlobalPrivilege' is set to 'Administrator, SERVICE, LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0055 Ensure 'SeCreatePermanentPrivilege' is set to 'None'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
0056 Ensure 'SeCreateSymbolicLinkPrivilege' is set to 'Administrator'The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual MachinesFalse
0057 Ensure 'SeDebugPrivilege' is set to 'Administrator'CompliantTrue
0064 Ensure 'SeEnableDelegationPrivilege' is set to 'None'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse
0066 Ensure 'SeRemoteShutdownPrivilege' is set to 'Administrator'CompliantTrue
0067 Ensure 'SeAuditPrivilege' is set to 'LOCAL SERVICE, NETWORK SERVICE'CompliantTrue
0068 Ensure 'SeImpersonatePrivilege' is set to 'Administrator, LOCAL SERVICE, NETWORK SERVICE'The user right 'SeImpersonatePrivilege' contains following unexpected users: NT AUTHORITY\SERVICEFalse
0069 Ensure 'SeIncreaseBasePriorityPrivilege' is set to 'Administrator'The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager GroupFalse
0085 Ensure 'SeRelabelPrivilege' is set to 'None'The user 'SeRelabelPrivilege' setting does not contain the following users: NULL SIDFalse
0086 Ensure 'SeSystemEnvironmentPrivilege' is set to 'Administrator'CompliantTrue
0087 Ensure 'SeManageVolumePrivilege' is set to 'Administrator'CompliantTrue
0088 Ensure 'SeProfileSingleProcessPrivilege' is set to 'Administrator'CompliantTrue
0089 Ensure 'SeSystemProfilePrivilege' is set to 'Administrator, NT SERVICE/WdiServiceHost'CompliantTrue
0090 Ensure 'SeRestorePrivilege' is set to 'Administrator'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0091 Ensure 'SeShutdownPrivilege' is set to 'Administrator, Users'The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
0094 Ensure 'SeTakeOwnershipPrivilege' is set to 'Administrator'CompliantTrue
0104 Ensure 'SeDenyNetworkLogonRight' is set to 'Local account, Guest'The user right 'SeDenyNetworkLogonRight' contains following unexpected users: LOCAL +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
0105 Ensure 'SeDenyBatchLogonRight' is set to 'Guest'CompliantTrue
0106 Ensure 'SeDenyServiceLogonRight' is set to 'Guest'CompliantTrue
0107 Ensure 'SeDenyInteractiveLogonRight' is set to 'Guest'CompliantTrue
0108 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account, Guest'CompliantTrue
0180 Ensure 'Load and unload device drivers' is set to 'Administrator'CompliantTrue
0181 Ensure 'Lock pages in memory' is set to 'No one'The user 'SeLockMemoryPrivilege' setting does not contain the following users: NULL SIDFalse
0182 Ensure 'Log on as a batch job' is set to 'Administrator'The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log UsersFalse
0183 Ensure 'Log on as a service' is set to 'No one'The user right 'SeServiceLogonRight' contains following unexpected users: DESKTOP-UTMU75K\SQLServer2005SQLBrowserUser$DESKTOP-UTMU75K, NT SERVICE\ALL SERVICES, NT SERVICE\SQLTELEMETRY, NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVER, NT VIRTUAL MACHINE\Virtual Machines +The user 'SeServiceLogonRight' setting does not contain the following users: NULL SIDFalse
0184 Ensure 'Manage auditing and security log' is set to 'Administrator'CompliantTrue
0219 Ensure 'Replace a process level token' is set to 'Local Service, Network Service'The user right 'SeAssignPrimaryTokenPrivilege' contains following unexpected users: NT SERVICE\SQLSERVERAGENT, NT SERVICE\MSSQLSERVERFalse
0303 Ensure 'Allow log on through Remote Desktop Services' is set to 'Remote Desktop User'The user right 'SeRemoteInteractiveLogonRight' contains following unexpected users: BUILTIN\AdministratorsFalse

Account Policies-

IdTaskMessageStatus
0001 Ensure 'Maximum password age' is set to between 1 and 42'MaximumPasswordAge' currently set to: 60. Expected: x <= 42 and x >= 1False
0002 Ensure 'Password must meet complexity requirements' is set to 'Enabled'CompliantTrue
0100 Ensure 'Reset account lockout counter after' is set greater or equal 15CompliantTrue
0102 Ensure 'Account lockout duration' is set to '15 or more minute(s)'CompliantTrue
0103Ensure 'Account lockout threshold' is set greater or equal 1 and less or equal 10CompliantTrue
0162 Ensure 'Enforce password history' is set greater or equal 24CompliantTrue
0186 Ensure 'Minimum password age' is set to greater or equal 1CompliantTrue
0187 Ensure 'Minimum password length' is set to greater or equal 14CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
0008 Ensure 'Audit Application Group Management' is set to 'Success and Failure'CompliantTrue
0011 Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'Set to: No AuditingFalse
0012 Ensure 'Audit Security Group Management' is set to 'SuccessAndFailure'Set to: SuccessFalse
0013 Ensure 'Audit account management' is set to 'SuccessAndFailure'CompliantTrue
0014 Ensure 'Advanced security audit policy settings' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0015 Ensure 'Audit Process Creation' is set to 'SuccessAndNotFailure'Set to: SuccessFalse
0016 Ensure 'Audit Other Logon/Logoff Events' is set to 'SuccessAndFailure'CompliantTrue
0017 Ensure 'Audit Account Lockout' is set to 'SuccessAndNotFailure'Set to: FailureFalse
0018 Ensure 'How to track users logon/logoff' is set to 'SuccessAndNotFailure'CompliantTrue
0019 Ensure 'Audit Policy: Logon-Logoff: Logon' is set to 'SuccessAndFailure'CompliantTrue
0020 Ensure 'Audit Policy: Logon-Logoff: Special Logon' is set to 'Enabled'CompliantTrue
0021 Ensure 'Audit Policy: Object Access:Removable Storage' is set to 'SuccessAndFailure'CompliantTrue
0022 Ensure 'Audit Policy: Policy Change: Audit Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0023 Ensure 'Audit Policy: Policy Change: Authentication Policy Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0025 Ensure 'Audit Policy: System: IPsecDriver' is set to 'SuccessAndFailure'CompliantTrue
0026 Ensure 'Audit Policy: System: OtherSystem Events' is set to 'SuccessAndFailure'CompliantTrue
0027 Ensure 'Audit Policy: System: Security State Change' is set to 'SuccessAndFailure'Set to: SuccessFalse
0028 Ensure 'Audit Policy: System: Security System Extension' is set to 'SuccessAndFailure'Set to: SuccessFalse
0029 Ensure 'Audit Policy: System: System Integrity' is set to 'SuccessAndFailure'CompliantTrue
diff --git a/Samples/Outdated/Microsoft Windows 11 Dark.html b/Samples/Outdated/Microsoft Windows 11 Dark.html new file mode 100644 index 0000000..bcadde6 --- /dev/null +++ b/Samples/Outdated/Microsoft Windows 11 Dark.html @@ -0,0 +1,14 @@ +Windows 11 Report [01/17/2022 05:52:25]

Windows 11 Report

Generated by the ATAPAuditor Module Version 4.14 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • Security baseline for Microsoft Windows 11, Version: 20H2, Date: 2020-12-17

This report was generated on 01/17/2022 05:52:25 on DESKTOP-EHK98K4 with TAPHtmlReport version 1.8.

HostnameDESKTOP-EHK98K4
Build Number22000
Free disk space(GB) 105.1
Free physical memory (GB)1.088
Operating SystemMicrosoft Windows 11 Pro
Installation LanguageEnglish (United States)

Summary

A total of 347 tests have been executed.

  1. True 40 test(s) ≙ 11.53%
  2. False 307 test(s) ≙ 88.47%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 347 tests have been executed in section Microsoft Benchmarks.

  1. True 40 test(s) ≙ 11.53%
  2. False 307 test(s) ≙ 88.47%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

Microsoft Benchmarks-

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-009Set registry value 'UseEnhancedPin' to 1.Registry key not found.False
Registry-010Set registry value 'RDVDenyCrossOrg' to 0.Registry key not found.False
Registry-011Set registry value 'DisableExternalDMAUnderLock' to 1.Registry key not found.False
Registry-012Set registry value 'DCSettingIndex' to 0.Registry key not found.False
Registry-013Set registry value 'ACSettingIndex' to 0.Registry key not found.False
Registry-014Set registry value 'DenyDeviceClasses' to 1.Registry key not found.False
Registry-015Set registry value 'DenyDeviceClassesRetroactive' to 1.Registry key not found.False
Registry-016Set registry value '1' to 'Prevent installation of drivers matching these device setup classes'.Registry key not found.False
Registry-017Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'.Registry key not found.False
Registry-018Set registry value 'PUAProtection' to 1.Registry value not found.False
Registry-019Set registry value 'MpCloudBlockLevel' to 2.Registry key not found.False
Registry-020Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.Registry key not found.False
Registry-021Ensure 'Turn off real-time protection' is set to 'Disabled'.Registry key not found.False
Registry-022Set registry value 'DisableScriptScanning' to 0.Registry key not found.False
Registry-023Ensure 'Scan removable drives' is set to 'Enabled'.Registry key not found.False
Registry-024Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry key not found.False
Registry-025Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry key not found.False
Registry-026Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry key not found.False
Registry-027Set registry value 'ExploitGuard_ASR_Rules' to 1.Registry key not found.False
Registry-028(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-029(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-030(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-031(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-032(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-033(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-034(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-035(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-036(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-037(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-038(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-039Use advanced protection against ransomwareRegistry key not found.False
Registry-040(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-041Set registry value 'EnableNetworkProtection' to 1.Registry key not found.False
Registry-042Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.Registry key not found.False
Registry-043Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.Registry key not found.False
Registry-044Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-045Set registry value 'HVCIMATRequired' to 1.Registry key not found.False
Registry-046Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-047Set registry value 'ConfigureSystemGuardLaunch' to 1.Registry key not found.False
Registry-048Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
Registry-049Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1.Registry key not found.False
Registry-050Set registry value 'AutoConnectAllowedOEM' to 0.Registry value not found.False
Registry-051Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.Registry key not found.False
Registry-052Ensure 'Turn off Autoplay' is set to 'All drives'.Registry value not found.False
Registry-053Set registry value 'NoWebServices' to 1.Registry value not found.False
Registry-054Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.Registry value not found.False
Registry-055Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.Registry value not found.False
Registry-056Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.Registry value not found.False
Registry-057Set registry value 'LocalAccountTokenFilterPolicy' to 0.Registry value not found.False
Registry-058Set registry value 'AllowEncryptionOracle' to 0.Registry key not found.False
Registry-059Set registry value 'EnhancedAntiSpoofing' to 1.Registry key not found.False
Registry-060Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.Registry key not found.False
Registry-061Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'.Registry key not found.False
Registry-062Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.Registry key not found.False
Registry-063Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2.Registry key not found.False
Registry-064Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.Registry key not found.False
Registry-065Set registry value 'AllowProtectedCreds' to 1.Registry key not found.False
Registry-066Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-067Ensure 'Specify the maximum log file size (KB)' is set to '196608'.Registry key not found.False
Registry-068Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-069Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry key not found.False
Registry-070Set registry value 'AllowGameDVR' to 0.Registry key not found.False
Registry-071Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-072Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-073Set registry value 'AlwaysInstallElevated' to 0.Registry key not found.False
Registry-074Ensure 'Allow user control over installs' is set to 'Disabled'.Registry key not found.False
Registry-075Set registry value 'DeviceEnumerationPolicy' to 0.Registry key not found.False
Registry-076Ensure 'Enable insecure guest logons' is set to 'Disabled'.Registry key not found.False
Registry-077Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.Registry value not found.False
Registry-078Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-079Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-080Set registry value 'NoLockScreenCamera' to 1.Registry key not found.False
Registry-081Set registry value 'NoLockScreenSlideshow' to 1.Registry key not found.False
Registry-082Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.Registry key not found.False
Registry-083Ensure 'Turn on PowerShell Script Block Logging' is not set.Compliant. Registry key not found.True
Registry-084Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.Registry value not found.False
Registry-085Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.Registry value not found.False
Registry-086Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.Registry value not found.False
Registry-087Set registry value 'ShellSmartScreenLevel' to Block.Registry value not found.False
Registry-088Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'.Registry value not found.False
Registry-089Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.Registry key not found.False
Registry-090Ensure 'Disallow Digest authentication' is set to 'Enabled'.Registry key not found.False
Registry-091Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-092Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-093Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-094Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.Registry key not found.False
Registry-095Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-096Ensure 'Turn off multicast name resolution' is set to 'Enabled'.Registry key not found.False
Registry-097Set registry value 'DisableWebPnPDownload' to 1.Registry key not found.False
Registry-098Set registry value 'RestrictDriverInstallationToAdministrators' to 1.Registry key not found.False
Registry-099Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.Registry key not found.False
Registry-100Set registry value 'fUseMailto' to .Compliant. Registry value not found.True
Registry-101Set registry value 'fAllowToGetHelp' to 0.Registry value not found.False
Registry-102Set registry value 'fAllowFullControl' to .Compliant. Registry value not found.True
Registry-103Set registry value 'MaxTicketExpiry' to .Compliant. Registry value not found.True
Registry-104Set registry value 'MaxTicketExpiryUnits' to .Compliant. Registry value not found.True
Registry-105Set registry value 'MinEncryptionLevel' to 3.Registry value not found.False
Registry-106Set registry value 'fPromptForPassword' to 1.Registry value not found.False
Registry-107Set registry value 'fDisableCdm' to 1.Registry value not found.False
Registry-108Set registry value 'DisablePasswordSaving' to 1.Registry value not found.False
Registry-109Set registry value 'fEncryptRPCTraffic' to 1.Registry value not found.False
Registry-110Set registry value 'PolicyVersion' to 538.Registry key not found.False
Registry-111Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-112Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-113Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-114Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-115Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-116Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-117Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-118Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-119Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-120Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-121Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-122Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-123Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-124Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-125Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-126Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-127Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-128Set registry value 'AllowLocalIPsecPolicyMerge' to 0.Registry key not found.False
Registry-129Set registry value 'AllowLocalPolicyMerge' to 0.Registry key not found.False
Registry-130Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-131Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-132Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-133Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-134Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry key not found.False
Registry-135Set registry value 'AdmPwdEnabled' to 1.Registry key not found.False
Registry-136Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.Registry value not found.False
Registry-137Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.Registry value not found.False
Registry-138Set registry value 'DriverLoadPolicy' to 3.Registry key not found.False
Registry-139Ensure 'Configure SMB v1 server' is set to 'Disabled'.Registry value not found.False
Registry-140Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.Registry key not found.False
Registry-141Set registry value 'NoNameReleaseOnDemand' to 1.Registry value not found.False
Registry-142Set registry value 'NodeType' to 2.Registry value not found.False
Registry-143Set registry value 'EnableICMPRedirect' to 0.Registry value not found.False
Registry-144Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-145Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-146Set registry value 'ScRemoveOption' to 1.Registry value is '0'. Expected: 1False
Registry-147Set registry value 'InactivityTimeoutSecs' to 900.Registry value not found.False
Registry-148Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-149Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-150Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-151Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-152Set registry value 'RestrictAnonymous' to 1.Registry value is '0'. Expected: 1False
Registry-153Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-154Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.Registry value not found.False
Registry-155Set registry value 'NTLMMinClientSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-156Set registry value 'LmCompatibilityLevel' to 5.Registry value not found.False
Registry-157Set registry value 'allownullsessionfallback' to 0.Registry value not found.False
Registry-158Set registry value 'NTLMMinServerSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-159Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-160Set registry value 'RequireSecuritySignature' to 1.Registry value is '0'. Expected: 1False
Registry-161Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-162Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-163Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-164Set registry value 'requiresecuritysignature' to 1.Registry value is '0'. Expected: 1False
Registry-165Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-166Set registry value 'ConsentPromptBehaviorAdmin' to 2.Registry value is '5'. Expected: 2False
Registry-167Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-168Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-169Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-170Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-171Set registry value 'FilterAdministratorToken' to 1.Registry value not found.False
Registry-172Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-173Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-174Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.Registry value not found.False
Registry-222Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-223Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-224Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-225Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-226Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-227Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.Registry key not found.False
Registry-228Set registry value 'CheckExeSignatures' to yes.Registry key not found.False
Registry-229Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.Registry key not found.False
Registry-230Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.Registry key not found.False
Registry-231Set registry value 'Isolation' to PMEM.Registry key not found.False
Registry-232Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-234Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-235Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-237Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-238Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-240Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-241Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-242Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-244Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-246Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-247Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-249Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-251Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-252Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-253Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-254Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-255Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-256Set registry value 'PreventOverrideAppRepUnknown' to 1.Registry key not found.False
Registry-257Set registry value 'PreventOverride' to 1.Registry key not found.False
Registry-258Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry key not found.False
Registry-259Set registry value 'NoCrashDetection' to 1.Registry key not found.False
Registry-260Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.Registry key not found.False
Registry-261Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-262Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-263Set registry value 'Security_zones_map_edit' to 1.Registry value not found.False
Registry-264Set registry value 'Security_options_edit' to 1.Registry value not found.False
Registry-265Set registry value 'Security_HKLM_only' to 1.Registry value not found.False
Registry-266Ensure 'Check for server certificate revocation' is set to 'Enabled'.Registry value not found.False
Registry-267Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.Registry value not found.False
Registry-268Set registry value 'WarnOnBadCertRecving' to 1.Registry value not found.False
Registry-269Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-270Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.Registry value not found.False
Registry-271Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-272Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-273Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-274Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-275Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-276Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-277Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.Registry key not found.False
Registry-278Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-279Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-280Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-281Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-282Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-283Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-284Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-285Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-286Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-287Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-288Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-289Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-290Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-291Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-292Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-293Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-294Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-295Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-296Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-297Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-298Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-299Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-300Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-301Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-302Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-303Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-304Ensure 'Logon options' is set to 'Prompt for user name and password'.Registry key not found.False
Registry-305Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-306Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-307Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-308Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-309Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-310Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-311Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-312Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-313Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-314Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-315Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry key not found.False
Registry-316Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-317Set registry value '140C' to 3.Registry key not found.False
Registry-318Ensure 'Allow META REFRESH' is set to 'Disable'.Registry key not found.False
Registry-319Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-320Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-321Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-322Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-323Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-324Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-325Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-326Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-327Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-328Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-329Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-330Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-331Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-332Ensure 'Allow binary and script behaviors' is set to 'Disable'.Registry key not found.False
Registry-333Ensure 'Scripting of Java applets' is set to 'Disable'.Registry key not found.False
Registry-334Ensure 'Allow file downloads' is set to 'Disable'.Registry key not found.False
Registry-335Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-336Ensure 'Allow active scripting' is set to 'Disable'.Registry key not found.False
Registry-337Ensure 'Logon options' is set to 'Anonymous logon'.Registry key not found.False
Registry-338Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-339Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-340Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-341Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-342Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-343Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-344Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-345Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-346Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-347Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-348Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-349Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.Registry key not found.False
Registry-350Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-351Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-352Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.Registry key not found.False
Registry-353Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-354Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry key not found.False
Registry-355Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-356Set registry value '140C' to 3.Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-176Ensure 'SeSecurityPrivilege' is set to 'administrator'CompliantTrue
UserRight-177Ensure 'SeRestorePrivilege' is set to 'administrator'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-178Ensure 'SeTakeOwnershipPrivilege' is set to 'administrator'CompliantTrue
UserRight-179Ensure 'SeBackupPrivilege' is set to 'administrator'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-180Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account'The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
UserRight-181Ensure 'SeCreatePermanentPrivilege' is set to 'none'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-182Ensure 'SeManageVolumePrivilege' is set to 'administrator'CompliantTrue
UserRight-183Ensure 'SeLoadDriverPrivilege' is set to 'administrator'CompliantTrue
UserRight-184Ensure 'SeLockMemoryPrivilege' is set to 'none'CompliantTrue
UserRight-185Ensure 'SeDenyNetworkLogonRight' is set to 'Local account'The user right 'SeDenyNetworkLogonRight' contains following unexpected users: DESKTOP-EHK98K4\Guest +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
UserRight-186Ensure 'SeNetworkLogonRight' is set to 'administrator, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
UserRight-187Ensure 'SeImpersonatePrivilege' is set to 'administrator, Service, Local Service, Network Service'The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRSFalse
UserRight-188Ensure 'SeCreateTokenPrivilege' is set to 'none'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-189Ensure 'SeCreateGlobalPrivilege' is set to 'administrator, Service, Local Service, Network Service'CompliantTrue
UserRight-190Ensure 'SeSystemEnvironmentPrivilege' is set to 'administrator'CompliantTrue
UserRight-191Ensure 'SeCreatePagefilePrivilege' is set to 'administrator'CompliantTrue
UserRight-192Ensure 'SeInteractiveLogonRight' is set to 'administrator, Users'The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-EHK98K4\Guest, BUILTIN\Backup OperatorsFalse
UserRight-193Ensure 'SeRemoteShutdownPrivilege' is set to 'administrator'CompliantTrue
UserRight-194Ensure 'SeDebugPrivilege' is set to 'administrator'CompliantTrue
UserRight-195Ensure 'SeTrustedCredManAccessPrivilege' is set to 'none'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-196Ensure 'SeProfileSingleProcessPrivilege' is set to 'administrator'CompliantTrue
UserRight-197Ensure 'SeTcbPrivilege' is set to 'none'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-198Ensure 'SeEnableDelegationPrivilege' is set to 'none'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse

Account Policies-

IdTaskMessageStatus
AccountPolicy-001Ensure 'MinimumPasswordLength' is set to '14'.'MinimumPasswordLength' currently set to: 0. Expected: 14False
AccountPolicy-002Ensure 'PasswordComplexity' is set to '1'.'PasswordComplexity' currently set to: 0. Expected: 1False
AccountPolicy-003Ensure 'PasswordHistorySize' is set to '24'.'PasswordHistorySize' currently set to: 0. Expected: 24False
AccountPolicy-004Ensure 'LockoutBadCount' is set to '10'.'LockoutBadCount' currently set to: 0. Expected: 10False
AccountPolicy-005Ensure 'ResetLockoutCount' is set to '15'.Currently not set.False
AccountPolicy-006Ensure 'LockoutDuration' is set to '15'.Currently not set.False
AccountPolicy-007Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-199Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-200Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-201Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-202Ensure 'Plug and Play Events' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-203Ensure 'Process Creation' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-204Ensure 'Account Lockout' is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-205Ensure 'Group Membership' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-206Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-207Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-208Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-209Ensure 'Detailed File Share' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-210Ensure 'File Share' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-211Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-212Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-213Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-214Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-215Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-216Ensure 'Other Policy Change Events' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-217Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-218Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-219Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-220Ensure 'Security System Extension' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-221Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue
diff --git a/Samples/Outdated/Microsoft Windows 11.html b/Samples/Outdated/Microsoft Windows 11.html new file mode 100644 index 0000000..50ca0eb --- /dev/null +++ b/Samples/Outdated/Microsoft Windows 11.html @@ -0,0 +1,14 @@ +Windows 11 Report [01/17/2022 05:19:04]

Windows 11 Report

Generated by the ATAPAuditor Module Version 4.14 by FB Pro GmbH. Get it in the Audit Test Automation Package. Are you seeing a lot of red sections? Check out our hardening solutions.

Based on:

  • Security baseline for Microsoft Windows 11, Version: 20H2, Date: 2020-12-17

This report was generated on 01/17/2022 05:19:04 on DESKTOP-EHK98K4 with TAPHtmlReport version 1.8.

HostnameDESKTOP-EHK98K4
Build Number22000
Free disk space(GB) 105.2
Free physical memory (GB)0.804
Operating SystemMicrosoft Windows 11 Pro
Installation LanguageEnglish (United States)

Summary

A total of 347 tests have been executed.

  1. True 40 test(s) ≙ 11.53%
  2. False 307 test(s) ≙ 88.47%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 347 tests have been executed in section Microsoft Benchmarks.

  1. True 40 test(s) ≙ 11.53%
  2. False 307 test(s) ≙ 88.47%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

Microsoft Benchmarks-

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies-

IdTaskMessageStatus
Registry-009Set registry value 'UseEnhancedPin' to 1.Registry key not found.False
Registry-010Set registry value 'RDVDenyCrossOrg' to 0.Registry key not found.False
Registry-011Set registry value 'DisableExternalDMAUnderLock' to 1.Registry key not found.False
Registry-012Set registry value 'DCSettingIndex' to 0.Registry key not found.False
Registry-013Set registry value 'ACSettingIndex' to 0.Registry key not found.False
Registry-014Set registry value 'DenyDeviceClasses' to 1.Registry key not found.False
Registry-015Set registry value 'DenyDeviceClassesRetroactive' to 1.Registry key not found.False
Registry-016Set registry value '1' to 'Prevent installation of drivers matching these device setup classes'.Registry key not found.False
Registry-017Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'.Registry key not found.False
Registry-018Set registry value 'PUAProtection' to 1.Registry value not found.False
Registry-019Set registry value 'MpCloudBlockLevel' to 2.Registry key not found.False
Registry-020Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'.Registry key not found.False
Registry-021Ensure 'Turn off real-time protection' is set to 'Disabled'.Registry key not found.False
Registry-022Set registry value 'DisableScriptScanning' to 0.Registry key not found.False
Registry-023Ensure 'Scan removable drives' is set to 'Enabled'.Registry key not found.False
Registry-024Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'.Registry key not found.False
Registry-025Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'.Registry key not found.False
Registry-026Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'.Registry key not found.False
Registry-027Set registry value 'ExploitGuard_ASR_Rules' to 1.Registry key not found.False
Registry-028(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-029(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-030(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-031(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-032(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-033(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-034(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-035(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-036(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-037(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-038(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-039Use advanced protection against ransomwareRegistry key not found.False
Registry-040(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configuredRegistry key not found.False
Registry-041Set registry value 'EnableNetworkProtection' to 1.Registry key not found.False
Registry-042Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'.Registry key not found.False
Registry-043Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'.Registry key not found.False
Registry-044Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-045Set registry value 'HVCIMATRequired' to 1.Registry key not found.False
Registry-046Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'.Registry key not found.False
Registry-047Set registry value 'ConfigureSystemGuardLaunch' to 1.Registry key not found.False
Registry-048Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'.Registry value not found.False
Registry-049Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1.Registry key not found.False
Registry-050Set registry value 'AutoConnectAllowedOEM' to 0.Registry value not found.False
Registry-051Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.Registry key not found.False
Registry-052Ensure 'Turn off Autoplay' is set to 'All drives'.Registry value not found.False
Registry-053Set registry value 'NoWebServices' to 1.Registry value not found.False
Registry-054Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'.Registry value not found.False
Registry-055Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'.Registry value not found.False
Registry-056Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'.Registry value not found.False
Registry-057Set registry value 'LocalAccountTokenFilterPolicy' to 0.Registry value not found.False
Registry-058Set registry value 'AllowEncryptionOracle' to 0.Registry key not found.False
Registry-059Set registry value 'EnhancedAntiSpoofing' to 1.Registry key not found.False
Registry-060Ensure 'Prevent downloading of enclosures' is set to 'Enabled'.Registry key not found.False
Registry-061Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'.Registry key not found.False
Registry-062Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'.Registry key not found.False
Registry-063Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2.Registry key not found.False
Registry-064Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.Registry key not found.False
Registry-065Set registry value 'AllowProtectedCreds' to 1.Registry key not found.False
Registry-066Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-067Ensure 'Specify the maximum log file size (KB)' is set to '196608'.Registry key not found.False
Registry-068Ensure 'Specify the maximum log file size (KB)' is set to '32768'.Registry key not found.False
Registry-069Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.Registry key not found.False
Registry-070Set registry value 'AllowGameDVR' to 0.Registry key not found.False
Registry-071Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-072Ensure 'Configure registry policy processing' is set to '0'.Registry key not found.False
Registry-073Set registry value 'AlwaysInstallElevated' to 0.Registry key not found.False
Registry-074Ensure 'Allow user control over installs' is set to 'Disabled'.Registry key not found.False
Registry-075Set registry value 'DeviceEnumerationPolicy' to 0.Registry key not found.False
Registry-076Ensure 'Enable insecure guest logons' is set to 'Disabled'.Registry key not found.False
Registry-077Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'.Registry value not found.False
Registry-078Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-079Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1,RequireIntegrity=1.Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1False
Registry-080Set registry value 'NoLockScreenCamera' to 1.Registry key not found.False
Registry-081Set registry value 'NoLockScreenSlideshow' to 1.Registry key not found.False
Registry-082Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'.Registry key not found.False
Registry-083Ensure 'Turn on PowerShell Script Block Logging' is not set.Compliant. Registry key not found.True
Registry-084Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'.Registry value not found.False
Registry-085Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'.Registry value not found.False
Registry-086Ensure 'Configure Windows SmartScreen' is set to 'Enabled'.Registry value not found.False
Registry-087Set registry value 'ShellSmartScreenLevel' to Block.Registry value not found.False
Registry-088Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'.Registry value not found.False
Registry-089Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0.Registry key not found.False
Registry-090Ensure 'Disallow Digest authentication' is set to 'Enabled'.Registry key not found.False
Registry-091Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-092Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-093Ensure 'Allow unencrypted traffic' is set to 'Disabled'.Registry key not found.False
Registry-094Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'.Registry key not found.False
Registry-095Ensure 'Allow Basic authentication' is set to 'Disabled'.Registry key not found.False
Registry-096Ensure 'Turn off multicast name resolution' is set to 'Enabled'.Registry key not found.False
Registry-097Set registry value 'DisableWebPnPDownload' to 1.Registry key not found.False
Registry-098Set registry value 'RestrictDriverInstallationToAdministrators' to 1.Registry key not found.False
Registry-099Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'.Registry key not found.False
Registry-100Set registry value 'fUseMailto' to .Compliant. Registry value not found.True
Registry-101Set registry value 'fAllowToGetHelp' to 0.Registry value not found.False
Registry-102Set registry value 'fAllowFullControl' to .Compliant. Registry value not found.True
Registry-103Set registry value 'MaxTicketExpiry' to .Compliant. Registry value not found.True
Registry-104Set registry value 'MaxTicketExpiryUnits' to .Compliant. Registry value not found.True
Registry-105Set registry value 'MinEncryptionLevel' to 3.Registry value not found.False
Registry-106Set registry value 'fPromptForPassword' to 1.Registry value not found.False
Registry-107Set registry value 'fDisableCdm' to 1.Registry value not found.False
Registry-108Set registry value 'DisablePasswordSaving' to 1.Registry value not found.False
Registry-109Set registry value 'fEncryptRPCTraffic' to 1.Registry value not found.False
Registry-110Set registry value 'PolicyVersion' to 538.Registry key not found.False
Registry-111Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-112Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-113Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-114Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-115Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-116Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-117Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-118Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-119Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-120Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-121Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-122Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-123Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-124Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-125Set registry value 'DefaultOutboundAction' to 0.Registry key not found.False
Registry-126Set registry value 'EnableFirewall' to 1.Registry key not found.False
Registry-127Set registry value 'DisableNotifications' to 1.Registry key not found.False
Registry-128Set registry value 'AllowLocalIPsecPolicyMerge' to 0.Registry key not found.False
Registry-129Set registry value 'AllowLocalPolicyMerge' to 0.Registry key not found.False
Registry-130Set registry value 'DefaultInboundAction' to 1.Registry key not found.False
Registry-131Set registry value 'LogFileSize' to 16384.Registry key not found.False
Registry-132Set registry value 'LogDroppedPackets' to 1.Registry key not found.False
Registry-133Set registry value 'LogSuccessfulConnections' to 1.Registry key not found.False
Registry-134Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'.Registry key not found.False
Registry-135Set registry value 'AdmPwdEnabled' to 1.Registry key not found.False
Registry-136Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'.Registry value not found.False
Registry-137Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'.Registry value not found.False
Registry-138Set registry value 'DriverLoadPolicy' to 3.Registry key not found.False
Registry-139Ensure 'Configure SMB v1 server' is set to 'Disabled'.Registry value not found.False
Registry-140Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'.Registry key not found.False
Registry-141Set registry value 'NoNameReleaseOnDemand' to 1.Registry value not found.False
Registry-142Set registry value 'NodeType' to 2.Registry value not found.False
Registry-143Set registry value 'EnableICMPRedirect' to 0.Registry value not found.False
Registry-144Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-145Set registry value 'DisableIPSourceRouting' to 2.Registry value not found.False
Registry-146Set registry value 'ScRemoveOption' to 1.Registry value is '0'. Expected: 1False
Registry-147Set registry value 'InactivityTimeoutSecs' to 900.Registry value not found.False
Registry-148Set registry value 'NoLMHash' to 1.CompliantTrue
Registry-149Set registry value 'EnablePlainTextPassword' to 0.CompliantTrue
Registry-150Set registry value 'LimitBlankPasswordUse' to 1.CompliantTrue
Registry-151Set registry value 'RestrictAnonymousSAM' to 1.CompliantTrue
Registry-152Set registry value 'RestrictAnonymous' to 1.Registry value is '0'. Expected: 1False
Registry-153Set registry value 'RestrictNullSessAccess' to 1.CompliantTrue
Registry-154Set registry value 'SCENoApplyLegacyAuditPolicy' to 1.Registry value not found.False
Registry-155Set registry value 'NTLMMinClientSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-156Set registry value 'LmCompatibilityLevel' to 5.Registry value not found.False
Registry-157Set registry value 'allownullsessionfallback' to 0.Registry value not found.False
Registry-158Set registry value 'NTLMMinServerSec' to 537395200.Registry value is '536870912'. Expected: 537395200False
Registry-159Set registry value 'requirestrongkey' to 1.CompliantTrue
Registry-160Set registry value 'RequireSecuritySignature' to 1.Registry value is '0'. Expected: 1False
Registry-161Set registry value 'sealsecurechannel' to 1.CompliantTrue
Registry-162Set registry value 'requiresignorseal' to 1.CompliantTrue
Registry-163Set registry value 'signsecurechannel' to 1.CompliantTrue
Registry-164Set registry value 'requiresecuritysignature' to 1.Registry value is '0'. Expected: 1False
Registry-165Set registry value 'ProtectionMode' to 1.CompliantTrue
Registry-166Set registry value 'ConsentPromptBehaviorAdmin' to 2.Registry value is '5'. Expected: 2False
Registry-167Set registry value 'EnableSecureUIAPaths' to 1.CompliantTrue
Registry-168Set registry value 'EnableLUA' to 1.CompliantTrue
Registry-169Set registry value 'ConsentPromptBehaviorUser' to 0.Registry value is '3'. Expected: 0False
Registry-170Set registry value 'EnableInstallerDetection' to 1.CompliantTrue
Registry-171Set registry value 'FilterAdministratorToken' to 1.Registry value not found.False
Registry-172Set registry value 'EnableVirtualization' to 1.CompliantTrue
Registry-173Set registry value 'LDAPClientIntegrity' to 1.CompliantTrue
Registry-174Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.Registry value not found.False
Registry-222Set registry value 'FormSuggest Passwords' to 1.Registry key not found.False
Registry-223Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'.Registry key not found.False
Registry-224Set registry value 'FormSuggest Passwords' to no.Registry key not found.False
Registry-225Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'.Registry value not found.False
Registry-226Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'.Registry value not found.False
Registry-227Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'.Registry key not found.False
Registry-228Set registry value 'CheckExeSignatures' to yes.Registry key not found.False
Registry-229Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'.Registry key not found.False
Registry-230Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'.Registry key not found.False
Registry-231Set registry value 'Isolation' to PMEM.Registry key not found.False
Registry-232Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-234Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-235Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-237Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-238Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-240Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-241Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-242Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-244Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-246Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-247Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-249Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-251Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-252Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-253Set registry value '(Reserved)' to 1.Registry key not found.False
Registry-254Set registry value 'explorer.exe' to 1.Registry key not found.False
Registry-255Set registry value 'iexplore.exe' to 1.Registry key not found.False
Registry-256Set registry value 'PreventOverrideAppRepUnknown' to 1.Registry key not found.False
Registry-257Set registry value 'PreventOverride' to 1.Registry key not found.False
Registry-258Ensure 'Prevent managing SmartScreen Filter' is set to 'On'.Registry key not found.False
Registry-259Set registry value 'NoCrashDetection' to 1.Registry key not found.False
Registry-260Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'.Registry key not found.False
Registry-261Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-262Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'.Registry key not found.False
Registry-263Set registry value 'Security_zones_map_edit' to 1.Registry value not found.False
Registry-264Set registry value 'Security_options_edit' to 1.Registry value not found.False
Registry-265Set registry value 'Security_HKLM_only' to 1.Registry value not found.False
Registry-266Ensure 'Check for server certificate revocation' is set to 'Enabled'.Registry value not found.False
Registry-267Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'.Registry value not found.False
Registry-268Set registry value 'WarnOnBadCertRecving' to 1.Registry value not found.False
Registry-269Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'.Registry value not found.False
Registry-270Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'.Registry value not found.False
Registry-271Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-272Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-273Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-274Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-275Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-276Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-277Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'.Registry key not found.False
Registry-278Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-279Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-280Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-281Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-282Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-283Ensure 'Java permissions' is set to 'High safety'.Registry key not found.False
Registry-284Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-285Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-286Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-287Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-288Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-289Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-290Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-291Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-292Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-293Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-294Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-295Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-296Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-297Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-298Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-299Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-300Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-301Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-302Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-303Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-304Ensure 'Logon options' is set to 'Prompt for user name and password'.Registry key not found.False
Registry-305Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-306Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-307Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-308Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-309Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-310Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-311Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-312Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-313Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-314Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-315Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'.Registry key not found.False
Registry-316Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-317Set registry value '140C' to 3.Registry key not found.False
Registry-318Ensure 'Allow META REFRESH' is set to 'Disable'.Registry key not found.False
Registry-319Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'.Registry key not found.False
Registry-320Ensure 'Download signed ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-321Ensure 'Navigate windows and frames across different domains' is set to 'Disable'.Registry key not found.False
Registry-322Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'.Registry key not found.False
Registry-323Ensure 'Use Pop-up Blocker' is set to 'Enable'.Registry key not found.False
Registry-324Ensure 'Download unsigned ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-325Ensure 'Userdata persistence' is set to 'Disable'.Registry key not found.False
Registry-326Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'.Registry key not found.False
Registry-327Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'.Registry key not found.False
Registry-328Ensure 'Access data sources across domains' is set to 'Disable'.Registry key not found.False
Registry-329Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'.Registry key not found.False
Registry-330Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-331Ensure 'Automatic prompting for file downloads' is set to 'Disable'.Registry key not found.False
Registry-332Ensure 'Allow binary and script behaviors' is set to 'Disable'.Registry key not found.False
Registry-333Ensure 'Scripting of Java applets' is set to 'Disable'.Registry key not found.False
Registry-334Ensure 'Allow file downloads' is set to 'Disable'.Registry key not found.False
Registry-335Ensure 'Allow loading of XAML files' is set to 'Disable'.Registry key not found.False
Registry-336Ensure 'Allow active scripting' is set to 'Disable'.Registry key not found.False
Registry-337Ensure 'Logon options' is set to 'Anonymous logon'.Registry key not found.False
Registry-338Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'.Registry key not found.False
Registry-339Ensure 'Turn on Protected Mode' is set to 'Enable'.Registry key not found.False
Registry-340Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'.Registry key not found.False
Registry-341Ensure 'Java permissions' is set to 'Disable Java'.Registry key not found.False
Registry-342Ensure 'Allow scriptlets' is set to 'Disable'.Registry key not found.False
Registry-343Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'.Registry key not found.False
Registry-344Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'.Registry key not found.False
Registry-345Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'.Registry key not found.False
Registry-346Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'.Registry key not found.False
Registry-347Ensure 'Allow updates to status bar via script' is set to 'Disable'.Registry key not found.False
Registry-348Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'.Registry key not found.False
Registry-349Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'.Registry key not found.False
Registry-350Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'.Registry key not found.False
Registry-351Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'.Registry key not found.False
Registry-352Ensure 'Run ActiveX controls and plugins' is set to 'Disable'.Registry key not found.False
Registry-353Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'.Registry key not found.False
Registry-354Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'.Registry key not found.False
Registry-355Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'.Registry key not found.False
Registry-356Set registry value '140C' to 3.Registry key not found.False

User Rights Assignment-

IdTaskMessageStatus
UserRight-176Ensure 'SeSecurityPrivilege' is set to 'administrator'CompliantTrue
UserRight-177Ensure 'SeRestorePrivilege' is set to 'administrator'The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-178Ensure 'SeTakeOwnershipPrivilege' is set to 'administrator'CompliantTrue
UserRight-179Ensure 'SeBackupPrivilege' is set to 'administrator'The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup OperatorsFalse
UserRight-180Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'Local account'The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
UserRight-181Ensure 'SeCreatePermanentPrivilege' is set to 'none'The user 'SeCreatePermanentPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-182Ensure 'SeManageVolumePrivilege' is set to 'administrator'CompliantTrue
UserRight-183Ensure 'SeLoadDriverPrivilege' is set to 'administrator'CompliantTrue
UserRight-184Ensure 'SeLockMemoryPrivilege' is set to 'none'CompliantTrue
UserRight-185Ensure 'SeDenyNetworkLogonRight' is set to 'Local account'The user right 'SeDenyNetworkLogonRight' contains following unexpected users: DESKTOP-EHK98K4\Guest +The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local accountFalse
UserRight-186Ensure 'SeNetworkLogonRight' is set to 'administrator, Remote Desktop Users'The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators +The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop UsersFalse
UserRight-187Ensure 'SeImpersonatePrivilege' is set to 'administrator, Service, Local Service, Network Service'The user right 'SeImpersonatePrivilege' contains following unexpected users: BUILTIN\IIS_IUSRSFalse
UserRight-188Ensure 'SeCreateTokenPrivilege' is set to 'none'The user 'SeCreateTokenPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-189Ensure 'SeCreateGlobalPrivilege' is set to 'administrator, Service, Local Service, Network Service'CompliantTrue
UserRight-190Ensure 'SeSystemEnvironmentPrivilege' is set to 'administrator'CompliantTrue
UserRight-191Ensure 'SeCreatePagefilePrivilege' is set to 'administrator'CompliantTrue
UserRight-192Ensure 'SeInteractiveLogonRight' is set to 'administrator, Users'The user right 'SeInteractiveLogonRight' contains following unexpected users: DESKTOP-EHK98K4\Guest, BUILTIN\Backup OperatorsFalse
UserRight-193Ensure 'SeRemoteShutdownPrivilege' is set to 'administrator'CompliantTrue
UserRight-194Ensure 'SeDebugPrivilege' is set to 'administrator'CompliantTrue
UserRight-195Ensure 'SeTrustedCredManAccessPrivilege' is set to 'none'The user 'SeTrustedCredManAccessPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-196Ensure 'SeProfileSingleProcessPrivilege' is set to 'administrator'CompliantTrue
UserRight-197Ensure 'SeTcbPrivilege' is set to 'none'The user 'SeTcbPrivilege' setting does not contain the following users: NULL SIDFalse
UserRight-198Ensure 'SeEnableDelegationPrivilege' is set to 'none'The user 'SeEnableDelegationPrivilege' setting does not contain the following users: NULL SIDFalse

Account Policies-

IdTaskMessageStatus
AccountPolicy-001Ensure 'MinimumPasswordLength' is set to '14'.'MinimumPasswordLength' currently set to: 0. Expected: 14False
AccountPolicy-002Ensure 'PasswordComplexity' is set to '1'.'PasswordComplexity' currently set to: 0. Expected: 1False
AccountPolicy-003Ensure 'PasswordHistorySize' is set to '24'.'PasswordHistorySize' currently set to: 0. Expected: 24False
AccountPolicy-004Ensure 'LockoutBadCount' is set to '10'.'LockoutBadCount' currently set to: 0. Expected: 10False
AccountPolicy-005Ensure 'ResetLockoutCount' is set to '15'.Currently not set.False
AccountPolicy-006Ensure 'LockoutDuration' is set to '15'.Currently not set.False
AccountPolicy-007Ensure 'ClearTextPassword' is set to '0'.CompliantTrue

Advanced Audit Policy Configuration-

IdTaskMessageStatus
AuditPolicy-199Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-200Ensure 'Security Group Management' is set to 'Success'.CompliantTrue
AuditPolicy-201Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-202Ensure 'Plug and Play Events' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-203Ensure 'Process Creation' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-204Ensure 'Account Lockout' is set to 'Failure'.Set to: SuccessFalse
AuditPolicy-205Ensure 'Group Membership' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-206Ensure 'Logon' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-207Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-208Ensure 'Special Logon' is set to 'Success'.CompliantTrue
AuditPolicy-209Ensure 'Detailed File Share' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-210Ensure 'File Share' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-211Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-212Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-213Ensure 'Audit Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-214Ensure 'Authentication Policy Change' is set to 'Success'.CompliantTrue
AuditPolicy-215Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-216Ensure 'Other Policy Change Events' is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-217Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'.Set to: No AuditingFalse
AuditPolicy-218Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'.CompliantTrue
AuditPolicy-219Ensure 'Security State Change' is set to 'Success'.CompliantTrue
AuditPolicy-220Ensure 'Security System Extension' is set to 'Success'.Set to: No AuditingFalse
AuditPolicy-221Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'.CompliantTrue
diff --git a/Samples/Outdated/MozillaFirefox.dark.html b/Samples/Outdated/MozillaFirefox.dark.html new file mode 100644 index 0000000..3ec9d7f --- /dev/null +++ b/Samples/Outdated/MozillaFirefox.dark.html @@ -0,0 +1 @@ +Mozilla Firefox Audit Report [04/03/2019 03:23:22]
FB-Pro GmbH

Mozilla Firefox Audit Report

Generated by the MozillaFirefoxAudit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on CIS Mozilla Firefox 38 ESR Benchmark v1.0.0 - 2015-12-31, DISA Mozilla FireFox Security Technical Implementation Guide V4R24 2019-01-25.

This report was generated at 04/03/2019 03:23:22 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 114.1
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.108

Navigation

Click the link(s) below for quick access to a report section.

CIS Benchmarks^

This section contains all CIS benchmarks

Configure Locked Preferences^

Id Task Message Audit
1.1 Create local-settings.js file Compliant True
1.3 Create mozilla.tt.cfg file Compliant True

Preference Settings^

Id Task Message Audit
2.1 Enable Automatic Updates Compliant. True
2.2 Enable Auto-Notification of Outdated Plugins Compliant. True
2.3 Enable Information Bar for Outdated Plugins Compliant. True
2.4 Set Update Interval Time Checks Compliant. True
2.5 Set Update Wait Time Prompt Compliant. True
2.6 Ensure Update-related UI Components are Displayed Compliant. True
2.7 Set Search Provider Update Behavior Compliant. True
3.2 Do Not Send Cross SSLTLS Referrer Header Compliant. True
3.3 Disable NTLM v1 Compliant. True
3.4 Enable Warning For Phishy URLs Compliant. True
3.5 Enable IDN Show Punycode Compliant. True
3.6 Set File URI Origin Policy Compliant. True
3.7 Disable Cloud Sync Compliant. True
3.8 Disable WebRTC Compliant. True
4.1 Set SSL Override Behavior Compliant. True
4.2 Set Security TLS Version Maximum Compliant. True
4.3 Set Security TLS Version Minimum Compliant. True
4.4 Set OCSP Use Policy Compliant. True
4.5 Block Mixed Active Content Compliant. True
4.6 Set OCSP Response Policy Compliant. True
5.1 Disallow JavaScripts Ability to Change the Status Bar Text Compliant. True
5.2 Disable Scripting of Plugins by JavaScript Compliant. True
5.3 Disallow JavaScripts Ability to Hide the Address Bar Compliant. True
5.4 Disallow JavaScripts Ability to Hide the Status Bar Compliant. True
5.5 Disable Closing of Windows via Scripts Compliant. True
5.6 Block Pop-up Windows Compliant. True
5.7 Disable Displaying JavaScript in History URLs Compliant. True
6.1 Disallow Credential Storage Compliant. True
6.2 Do Not Accept Third Party Cookies Compliant. True
6.3 Tracking Protection Missing lockprefs: lockPref("privacy.donottrackheader.value", 1). False
6.4 Set Delay for Enabling Security Sensitive Dialog Boxes Compliant. True
6.5 Disable Geolocation Serivces Missing lockprefs: lockPref("geo.enabled", False). False
7.1 Secure Application Plug-ins Compliant. True
7.2 Disabling Auto-Install of Add-ons Compliant. True
7.3 Enable Extension Block List Compliant. True
7.4 Set Extension Block List Interval Compliant. True
7.5 Enable Warning for External Protocol Handler Compliant. True
7.6 Disable Popups Initiated by Plugins Compliant. True
7.7 Enable Extension Auto Update Compliant. True
7.8 Enable Extension Update Compliant. True
7.9 Set Extension Update Interval Time Checks Compliant. True
8.1 Enable Virus Scanning for Downloads Compliant. True
8.2 Disable JAR from Opening Unsafe File Types Compliant. True
8.3 Block Reported Web Forgeries Compliant. True
8.4 Block Reported Attack Sites Compliant. True

DISA Recommendations^

This section contains all DISA recommendations

Preference Settings^

Id Task Message Audit
DTBF030 Firewall traversal from remote host must be disabled. Compliant. True
DTBF050 FireFox is configured to ask which certificate to present to a web site when a certificate is required. Compliant. True
DTBF085 Firefox automatically checks for updated version of installed Search plugins. Compliant. True
DTBF090 Firefox automatically updates installed add-ons and plugins. Compliant. True
DTBF105 Network shell protocol is enabled in FireFox. Compliant. True
DTBF140 Firefox formfill assistance option is disabled. Compliant. True
DTBF150 Firefox is configured to autofill passwords. Compliant. True
DTBF181 FireFox is configured to allow JavaScript to move or resize windows. Compliant. True
DTBF183 Firefox is configured to allow JavaScript to disable or replace context menus. Compliant. True
DTBF190 Background submission of information to Mozilla must be disabled. Compliant. True
diff --git a/Samples/Outdated/MozillaFirefox.html b/Samples/Outdated/MozillaFirefox.html new file mode 100644 index 0000000..5bef7de --- /dev/null +++ b/Samples/Outdated/MozillaFirefox.html @@ -0,0 +1 @@ +Mozilla Firefox Audit Report [04/03/2019 02:57:42]
FB-Pro GmbH

Mozilla Firefox Audit Report

Generated by the MozillaFirefoxAudit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on CIS Mozilla Firefox 38 ESR Benchmark v1.0.0 - 2015-12-31, DISA Mozilla FireFox Security Technical Implementation Guide V4R24 2019-01-25.

This report was generated at 04/03/2019 02:57:42 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 114.1
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.130

Navigation

Click the link(s) below for quick access to a report section.

CIS Benchmarks^

This section contains all CIS benchmarks

Configure Locked Preferences^

Id Task Message Audit
1.1 Create local-settings.js file Compliant True
1.3 Create mozilla.tt.cfg file Compliant True

Preference Settings^

Id Task Message Audit
2.1 Enable Automatic Updates Compliant. True
2.2 Enable Auto-Notification of Outdated Plugins Compliant. True
2.3 Enable Information Bar for Outdated Plugins Compliant. True
2.4 Set Update Interval Time Checks Compliant. True
2.5 Set Update Wait Time Prompt Compliant. True
2.6 Ensure Update-related UI Components are Displayed Compliant. True
2.7 Set Search Provider Update Behavior Compliant. True
3.2 Do Not Send Cross SSLTLS Referrer Header Compliant. True
3.3 Disable NTLM v1 Compliant. True
3.4 Enable Warning For Phishy URLs Compliant. True
3.5 Enable IDN Show Punycode Compliant. True
3.6 Set File URI Origin Policy Compliant. True
3.7 Disable Cloud Sync Compliant. True
3.8 Disable WebRTC Compliant. True
4.1 Set SSL Override Behavior Compliant. True
4.2 Set Security TLS Version Maximum Compliant. True
4.3 Set Security TLS Version Minimum Compliant. True
4.4 Set OCSP Use Policy Compliant. True
4.5 Block Mixed Active Content Compliant. True
4.6 Set OCSP Response Policy Compliant. True
5.1 Disallow JavaScripts Ability to Change the Status Bar Text Compliant. True
5.2 Disable Scripting of Plugins by JavaScript Compliant. True
5.3 Disallow JavaScripts Ability to Hide the Address Bar Compliant. True
5.4 Disallow JavaScripts Ability to Hide the Status Bar Compliant. True
5.5 Disable Closing of Windows via Scripts Compliant. True
5.6 Block Pop-up Windows Compliant. True
5.7 Disable Displaying JavaScript in History URLs Compliant. True
6.1 Disallow Credential Storage Compliant. True
6.2 Do Not Accept Third Party Cookies Compliant. True
6.3 Tracking Protection Missing lockprefs: lockPref("privacy.donottrackheader.value", 1). False
6.4 Set Delay for Enabling Security Sensitive Dialog Boxes Compliant. True
6.5 Disable Geolocation Serivces Missing lockprefs: lockPref("geo.enabled", False). False
7.1 Secure Application Plug-ins Compliant. True
7.2 Disabling Auto-Install of Add-ons Compliant. True
7.3 Enable Extension Block List Compliant. True
7.4 Set Extension Block List Interval Compliant. True
7.5 Enable Warning for External Protocol Handler Compliant. True
7.6 Disable Popups Initiated by Plugins Compliant. True
7.7 Enable Extension Auto Update Compliant. True
7.8 Enable Extension Update Compliant. True
7.9 Set Extension Update Interval Time Checks Compliant. True
8.1 Enable Virus Scanning for Downloads Compliant. True
8.2 Disable JAR from Opening Unsafe File Types Compliant. True
8.3 Block Reported Web Forgeries Compliant. True
8.4 Block Reported Attack Sites Compliant. True

DISA Recommendations^

This section contains all DISA recommendations

Preference Settings^

Id Task Message Audit
DTBF030 Firewall traversal from remote host must be disabled. Compliant. True
DTBF050 FireFox is configured to ask which certificate to present to a web site when a certificate is required. Compliant. True
DTBF085 Firefox automatically checks for updated version of installed Search plugins. Compliant. True
DTBF090 Firefox automatically updates installed add-ons and plugins. Compliant. True
DTBF105 Network shell protocol is enabled in FireFox. Compliant. True
DTBF140 Firefox formfill assistance option is disabled. Compliant. True
DTBF150 Firefox is configured to autofill passwords. Compliant. True
DTBF181 FireFox is configured to allow JavaScript to move or resize windows. Compliant. True
DTBF183 Firefox is configured to allow JavaScript to disable or replace context menus. Compliant. True
DTBF190 Background submission of information to Mozilla must be disabled. Compliant. True
diff --git a/Samples/Outdated/Office2016.dark.html b/Samples/Outdated/Office2016.dark.html new file mode 100644 index 0000000..d248dc2 --- /dev/null +++ b/Samples/Outdated/Office2016.dark.html @@ -0,0 +1 @@ +Microsoft Excel 2016 Audit Report [04/03/2019 04:30:25]
FB-Pro GmbH

Microsoft Excel 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Excel 2016 Security Technical Implementation Guide V1R2 2017-10-27.

This report was generated at 04/03/2019 04:30:25 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.4
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.125

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO105 Open/Save actions for Excel 4 macrosheets and add-in files must be blocked. Compliant True
DTOO106 Open/Save actions for Excel 4 workbooks must be blocked. Compliant True
DTOO107 Open/Save actions for Excel 4 worksheets must be blocked. Compliant True
DTOO108 Actions for Excel 95 workbooks must be configured to edit in Protected View. Compliant True
DTOO109 Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View. Registry value not found. False
DTOO110 Blocking as default file block opening behavior must be enforced. Registry value not found. False
DTOO111 Enabling IE Bind to Object functionality must be present. Registry value: 0. Differs from allowed value: 1. False
DTOO112 Open/Save actions for Dif and Sylk files must be blocked. Registry value not found. False
DTOO113 Open/Save actions for Excel 2 macrosheets and add-in files must be blocked. Registry value not found. False
DTOO114 Open/Save actions for Excel 2 worksheets must be blocked. Registry value not found. False
DTOO115 Open/Save actions for Excel 3 macrosheets and add-in files must be blocked. Registry value not found. False
DTOO116 Open/Save actions for Excel 3 worksheets must be blocked. Registry value not found. False
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO119 Configuration for file validation must be enforced. Registry value not found. False
DTOO120 Open/Save actions for web pages and Excel 2003 XML spreadsheets must be blocked. Registry value not found. False
DTOO121 Files from the Internet zone must be opened in Protected View. Compliant. Registry value not set. True
DTOO122 Open/Save actions for dBase III / IV files must be blocked. Registry value not found. False
DTOO123 Navigation to URLs embedded in Office products must be blocked. Registry value: 0. Differs from allowed value: 1. False
DTOO124 Scripted Window Security must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 The scanning of encrypted macros in open XML documents must be enforced. Compliant. Registry value not set. True
DTOO145 Macro storage must be in personal macro workbooks. Registry key not found. False
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant. Registry value not set. True
DTOO292_b Document behavior if file validation fails must be set. Registry value not found. False
DTOO293 Excel attachments opened from Outlook must be in Protected View. Registry value not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Compliant True
DTOO418 WEBSERVICE functions must be disabled. Compliant. Registry value not set. True
DTOO419 Corrupt workbook options must be disallowed. Registry key not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Compliant True
diff --git a/Samples/Outdated/Office2016Excel.dark.html b/Samples/Outdated/Office2016Excel.dark.html new file mode 100644 index 0000000..e575088 --- /dev/null +++ b/Samples/Outdated/Office2016Excel.dark.html @@ -0,0 +1 @@ +Microsoft Excel 2016 Audit Report [04/03/2019 04:31:02]
FB-Pro GmbH

Microsoft Excel 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Excel 2016 Security Technical Implementation Guide V1R2 2017-10-27.

This report was generated at 04/03/2019 04:31:02 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.4
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.121

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO105 Open/Save actions for Excel 4 macrosheets and add-in files must be blocked. Compliant True
DTOO106 Open/Save actions for Excel 4 workbooks must be blocked. Compliant True
DTOO107 Open/Save actions for Excel 4 worksheets must be blocked. Compliant True
DTOO108 Actions for Excel 95 workbooks must be configured to edit in Protected View. Compliant True
DTOO109 Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View. Registry value not found. False
DTOO110 Blocking as default file block opening behavior must be enforced. Registry value not found. False
DTOO111 Enabling IE Bind to Object functionality must be present. Registry value: 0. Differs from allowed value: 1. False
DTOO112 Open/Save actions for Dif and Sylk files must be blocked. Registry value not found. False
DTOO113 Open/Save actions for Excel 2 macrosheets and add-in files must be blocked. Registry value not found. False
DTOO114 Open/Save actions for Excel 2 worksheets must be blocked. Registry value not found. False
DTOO115 Open/Save actions for Excel 3 macrosheets and add-in files must be blocked. Registry value not found. False
DTOO116 Open/Save actions for Excel 3 worksheets must be blocked. Registry value not found. False
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO119 Configuration for file validation must be enforced. Registry value not found. False
DTOO120 Open/Save actions for web pages and Excel 2003 XML spreadsheets must be blocked. Registry value not found. False
DTOO121 Files from the Internet zone must be opened in Protected View. Compliant. Registry value not set. True
DTOO122 Open/Save actions for dBase III / IV files must be blocked. Registry value not found. False
DTOO123 Navigation to URLs embedded in Office products must be blocked. Registry value: 0. Differs from allowed value: 1. False
DTOO124 Scripted Window Security must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 The scanning of encrypted macros in open XML documents must be enforced. Compliant. Registry value not set. True
DTOO145 Macro storage must be in personal macro workbooks. Registry key not found. False
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant. Registry value not set. True
DTOO292_b Document behavior if file validation fails must be set. Registry value not found. False
DTOO293 Excel attachments opened from Outlook must be in Protected View. Registry value not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Compliant True
DTOO418 WEBSERVICE functions must be disabled. Compliant. Registry value not set. True
DTOO419 Corrupt workbook options must be disallowed. Registry key not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Compliant True
diff --git a/Samples/Outdated/Office2016Outlook.dark.html b/Samples/Outdated/Office2016Outlook.dark.html new file mode 100644 index 0000000..a99dbeb --- /dev/null +++ b/Samples/Outdated/Office2016Outlook.dark.html @@ -0,0 +1 @@ +Microsoft Outlook 2016 Audit Report [04/03/2019 04:37:16]
FB-Pro GmbH

Microsoft Outlook 2016 Audit Report

Generated by the Outlook2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Outlook 2016 Security Technical Implementation Guide V1R2 2017-07-28.

This report was generated at 04/03/2019 04:37:16 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.123

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO111 Enabling IE Bind to Object functionality must be present. Compliant True
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Compliant True
DTOO123 Navigation to URLs embedded in Office products must be blocked. Compliant True
DTOO124 Scripted Window Security must be enforced. Compliant True
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO216 Publishing calendars to Office Online must be prevented. Compliant True
DTOO217 Publishing to a Web Distributed and Authoring (DAV) server must be prevented. Compliant True
DTOO218 Level of calendar details that a user can publish must be restricted. Compliant True
DTOO219 Access restriction settings for published calendars must be configured. Registry value not found. False
DTOO232 Outlook Object Model scripts must be disallowed to run for shared folders. Registry key not found. False
DTOO233 Outlook Object Model scripts must be disallowed to run for public folders. Registry key not found. False
DTOO234 ActiveX One-Off forms must be configured. Registry key not found. False
DTOO236 The Add-In Trust Level must be configured. Registry key not found. False
DTOO237 The remember password for internet e-mail accounts must be disabled. Registry key not found. False
DTOO238 Users customizing attachment security settings must be prevented. Registry value not found. False
DTOO239 Outlook Security Mode must be configured to use Group Policy settings. Registry key not found. False
DTOO240 The ability to display level 1 attachments must be disallowed. Registry key not found. False
DTOO246 Scripts in One-Off Outlook forms must be disallowed. Registry key not found. False
DTOO247 Custom Outlook Object Model (OOM) action execution prompts must be configured. Registry key not found. False
DTOO249 Object Model Prompt for programmatic email send behavior must be configured. Registry key not found. False
DTOO250 Object Model Prompt behavior for programmatic address books must be configured. Registry key not found. False
DTOO251 Object Model Prompt behavior for programmatic access of user address data must be configured. Registry key not found. False
DTOO252 Object Model Prompt behavior for Meeting and Task Responses must be configured. Registry key not found. False
DTOO253 Object Model Prompt behavior for the SaveAs method must be configured. Registry key not found. False
DTOO254 Object Model Prompt behavior for accessing User Property Formula must be configured. Registry key not found. False
DTOO257 S/Mime interoperability with external clients for message handling must be configured. Registry key not found. False
DTOO260 Message formats must be set to use SMime. Registry key not found. False
DTOO262 Run in FIPS compliant mode must be enforced. Registry key not found. False
DTOO264 Send all signed messages as clear signed messages must be configured. Registry key not found. False
DTOO266 Automatic sending s/Mime receipt requests must be disallowed. Registry key not found. False
DTOO267 Retrieving of CRL data must be set for online action. Registry key not found. False
DTOO270 External content and pictures in HTML email must be displayed. Registry key not found. False
DTOO271 Automatic download content for email in Safe Senders list must be disallowed. Registry key not found. False
DTOO272 Permit download of content from safe zones must be configured. Registry key not found. False
DTOO273 IE Trusted Zones assumed trusted must be blocked. Registry key not found. False
DTOO274 Internet with Safe Zones for Picture Download must be disabled. Registry key not found. False
DTOO275 Intranet with Safe Zones for automatic picture downloads must be configured. Registry key not found. False
DTOO276 Always warn on untrusted macros must be enforced. Registry key not found. False
DTOO277 Hyperlinks in suspected phishing email messages must be disallowed. Registry key not found. False
DTOO279 RPC encryption between Outlook and Exchange server must be enforced. Registry key not found. False
DTOO280 Outlook must be configured to force authentication when connecting to an Exchange server. Registry key not found. False
DTOO283 Disabling download full text of articles as HTML must be configured. Registry key not found. False
DTOO284 Automatic download of Internet Calendar appointment attachments must be disallowed. Registry key not found. False
DTOO285 Internet calendar integration in Outlook must be disabled. Registry key not found. False
DTOO286 User Entries to Server List must be disallowed. Registry key not found. False
DTOO313 Automatically downloading enclosures on RSS must be disallowed. Registry key not found. False
DTOO315 Outlook must be configured not to prompt users to choose security settings if default settings fail. Registry key not found. False
DTOO316 Outlook minimum encryption key length settings must be set. Registry key not found. False
DTOO317 Replies or forwards to signed/encrypted messages must be signed/encrypted. Registry key not found. False
DTOO320 Check e-mail addresses against addresses of certificates being used must be disallowed. Registry key not found. False
diff --git a/Samples/Outdated/Office2016Outlook.html b/Samples/Outdated/Office2016Outlook.html new file mode 100644 index 0000000..a3e5747 --- /dev/null +++ b/Samples/Outdated/Office2016Outlook.html @@ -0,0 +1 @@ +Microsoft Outlook 2016 Audit Report [04/03/2019 04:36:38]
FB-Pro GmbH

Microsoft Outlook 2016 Audit Report

Generated by the Outlook2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Outlook 2016 Security Technical Implementation Guide V1R2 2017-07-28.

This report was generated at 04/03/2019 04:36:38 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.128

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO111 Enabling IE Bind to Object functionality must be present. Compliant True
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Compliant True
DTOO123 Navigation to URLs embedded in Office products must be blocked. Compliant True
DTOO124 Scripted Window Security must be enforced. Compliant True
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO216 Publishing calendars to Office Online must be prevented. Compliant True
DTOO217 Publishing to a Web Distributed and Authoring (DAV) server must be prevented. Compliant True
DTOO218 Level of calendar details that a user can publish must be restricted. Compliant True
DTOO219 Access restriction settings for published calendars must be configured. Registry value not found. False
DTOO232 Outlook Object Model scripts must be disallowed to run for shared folders. Registry key not found. False
DTOO233 Outlook Object Model scripts must be disallowed to run for public folders. Registry key not found. False
DTOO234 ActiveX One-Off forms must be configured. Registry key not found. False
DTOO236 The Add-In Trust Level must be configured. Registry key not found. False
DTOO237 The remember password for internet e-mail accounts must be disabled. Registry key not found. False
DTOO238 Users customizing attachment security settings must be prevented. Registry value not found. False
DTOO239 Outlook Security Mode must be configured to use Group Policy settings. Registry key not found. False
DTOO240 The ability to display level 1 attachments must be disallowed. Registry key not found. False
DTOO246 Scripts in One-Off Outlook forms must be disallowed. Registry key not found. False
DTOO247 Custom Outlook Object Model (OOM) action execution prompts must be configured. Registry key not found. False
DTOO249 Object Model Prompt for programmatic email send behavior must be configured. Registry key not found. False
DTOO250 Object Model Prompt behavior for programmatic address books must be configured. Registry key not found. False
DTOO251 Object Model Prompt behavior for programmatic access of user address data must be configured. Registry key not found. False
DTOO252 Object Model Prompt behavior for Meeting and Task Responses must be configured. Registry key not found. False
DTOO253 Object Model Prompt behavior for the SaveAs method must be configured. Registry key not found. False
DTOO254 Object Model Prompt behavior for accessing User Property Formula must be configured. Registry key not found. False
DTOO257 S/Mime interoperability with external clients for message handling must be configured. Registry key not found. False
DTOO260 Message formats must be set to use SMime. Registry key not found. False
DTOO262 Run in FIPS compliant mode must be enforced. Registry key not found. False
DTOO264 Send all signed messages as clear signed messages must be configured. Registry key not found. False
DTOO266 Automatic sending s/Mime receipt requests must be disallowed. Registry key not found. False
DTOO267 Retrieving of CRL data must be set for online action. Registry key not found. False
DTOO270 External content and pictures in HTML email must be displayed. Registry key not found. False
DTOO271 Automatic download content for email in Safe Senders list must be disallowed. Registry key not found. False
DTOO272 Permit download of content from safe zones must be configured. Registry key not found. False
DTOO273 IE Trusted Zones assumed trusted must be blocked. Registry key not found. False
DTOO274 Internet with Safe Zones for Picture Download must be disabled. Registry key not found. False
DTOO275 Intranet with Safe Zones for automatic picture downloads must be configured. Registry key not found. False
DTOO276 Always warn on untrusted macros must be enforced. Registry key not found. False
DTOO277 Hyperlinks in suspected phishing email messages must be disallowed. Registry key not found. False
DTOO279 RPC encryption between Outlook and Exchange server must be enforced. Registry key not found. False
DTOO280 Outlook must be configured to force authentication when connecting to an Exchange server. Registry key not found. False
DTOO283 Disabling download full text of articles as HTML must be configured. Registry key not found. False
DTOO284 Automatic download of Internet Calendar appointment attachments must be disallowed. Registry key not found. False
DTOO285 Internet calendar integration in Outlook must be disabled. Registry key not found. False
DTOO286 User Entries to Server List must be disallowed. Registry key not found. False
DTOO313 Automatically downloading enclosures on RSS must be disallowed. Registry key not found. False
DTOO315 Outlook must be configured not to prompt users to choose security settings if default settings fail. Registry key not found. False
DTOO316 Outlook minimum encryption key length settings must be set. Registry key not found. False
DTOO317 Replies or forwards to signed/encrypted messages must be signed/encrypted. Registry key not found. False
DTOO320 Check e-mail addresses against addresses of certificates being used must be disallowed. Registry key not found. False
diff --git a/Samples/Outdated/Office2016PowerPoint.dark.html b/Samples/Outdated/Office2016PowerPoint.dark.html new file mode 100644 index 0000000..21b1fbf --- /dev/null +++ b/Samples/Outdated/Office2016PowerPoint.dark.html @@ -0,0 +1 @@ +Microsoft PowerPoint 2016 Audit Report [04/03/2019 04:44:07]
FB-Pro GmbH

Microsoft PowerPoint 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:44:07 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.143

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint. Compliant True
DTOO110 Blocking as default file block opening behavior must be enforced. Compliant True
DTOO111 The Internet Explorer Bind to Object functionality must be enabled in PowerPoint. Compliant True
DTOO117 The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint. Compliant True
DTOO119 Configuration for file validation must be enforced. Compliant True
DTOO121 Files from the Internet zone must be opened in Protected View. Compliant. Registry value not set. True
DTOO123 Navigation to URLs embedded in Office products must be blocked in PowerPoint. Registry value: 0. Differs from allowed value: 1. False
DTOO124 Scripted Window Security must be enforced in PowerPoint. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed in PowerPoint. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions in PowerPoint. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 The scanning of encrypted macros in open XML documents must be enforced. Compliant. Registry value not set. True
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced in PowerPoint. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction in PowerPoint. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO289 The ability to run programs from a PowerPoint presentation must be disallowed. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant. Registry value not set. True
DTOO293 Attachments opened from Outlook must be in Protected View. Registry value not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Registry value not found. False
DTOO501 Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint Viewer. Registry value: 0. Differs from allowed value: 1. False
DTOO502 The Internet Explorer Bind to Object functionality must be enabled in PowerPoint Viewer. Compliant True
DTOO503 The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint Viewer. Compliant True
DTOO504 Navigation to URLs embedded in Office products must be blocked in PowerPoint Viewer. Compliant True
DTOO505 Scripted Window Security must be enforced in PowerPoint Viewer. Registry value: 0. Differs from allowed value: 1. False
DTOO506 Add-on Management functionality must be allowed in PowerPoint Viewer. Registry value not found. False
DTOO507 Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint Viewer. Registry value not found. False
DTOO508 File Downloads must be configured for proper restrictions in PowerPoint Viewer. Registry value not found. False
DTOO509 Protection from zone elevation must be enforced in PowerPoint Viewer. Registry value not found. False
DTOO510 ActiveX Installs must be configured for proper restriction in PowerPoint Viewer. Registry value not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Registry value not found. False
diff --git a/Samples/Outdated/Office2016PowerPoint.html b/Samples/Outdated/Office2016PowerPoint.html new file mode 100644 index 0000000..328f605 --- /dev/null +++ b/Samples/Outdated/Office2016PowerPoint.html @@ -0,0 +1 @@ +Microsoft PowerPoint 2016 Audit Report [04/03/2019 04:43:35]
FB-Pro GmbH

Microsoft PowerPoint 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Powerpoint 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:43:35 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.125

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint. Compliant True
DTOO110 Blocking as default file block opening behavior must be enforced. Compliant True
DTOO111 The Internet Explorer Bind to Object functionality must be enabled in PowerPoint. Compliant True
DTOO117 The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint. Compliant True
DTOO119 Configuration for file validation must be enforced. Compliant True
DTOO121 Files from the Internet zone must be opened in Protected View. Compliant. Registry value not set. True
DTOO123 Navigation to URLs embedded in Office products must be blocked in PowerPoint. Registry value: 0. Differs from allowed value: 1. False
DTOO124 Scripted Window Security must be enforced in PowerPoint. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed in PowerPoint. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions in PowerPoint. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 The scanning of encrypted macros in open XML documents must be enforced. Compliant. Registry value not set. True
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced in PowerPoint. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction in PowerPoint. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO289 The ability to run programs from a PowerPoint presentation must be disallowed. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant. Registry value not set. True
DTOO293 Attachments opened from Outlook must be in Protected View. Registry value not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Registry value not found. False
DTOO501 Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint Viewer. Registry value: 0. Differs from allowed value: 1. False
DTOO502 The Internet Explorer Bind to Object functionality must be enabled in PowerPoint Viewer. Compliant True
DTOO503 The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint Viewer. Compliant True
DTOO504 Navigation to URLs embedded in Office products must be blocked in PowerPoint Viewer. Compliant True
DTOO505 Scripted Window Security must be enforced in PowerPoint Viewer. Registry value: 0. Differs from allowed value: 1. False
DTOO506 Add-on Management functionality must be allowed in PowerPoint Viewer. Registry value not found. False
DTOO507 Links that invoke instances of Internet Explorer from within an Office product must be blocked in PowerPoint Viewer. Registry value not found. False
DTOO508 File Downloads must be configured for proper restrictions in PowerPoint Viewer. Registry value not found. False
DTOO509 Protection from zone elevation must be enforced in PowerPoint Viewer. Registry value not found. False
DTOO510 ActiveX Installs must be configured for proper restriction in PowerPoint Viewer. Registry value not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Registry value not found. False
diff --git a/Samples/Outdated/Office2016SkypeForBusiness.dark.html b/Samples/Outdated/Office2016SkypeForBusiness.dark.html new file mode 100644 index 0000000..90939e3 --- /dev/null +++ b/Samples/Outdated/Office2016SkypeForBusiness.dark.html @@ -0,0 +1 @@ +Microsoft Skype for Business 2016 Audit Report [04/03/2019 04:50:15]
FB-Pro GmbH

Microsoft Skype for Business 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Skype for Business 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:50:15 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.153

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO420 The ability to store user passwords in Skype must be disabled. Compliant True
DTOO421 Session Initiation Protocol (SIP) security mode must be configured. Compliant True
DTOO422 In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP. Compliant True
diff --git a/Samples/Outdated/Office2016SkypeForBusiness.html b/Samples/Outdated/Office2016SkypeForBusiness.html new file mode 100644 index 0000000..1392c42 --- /dev/null +++ b/Samples/Outdated/Office2016SkypeForBusiness.html @@ -0,0 +1 @@ +Microsoft Skype for Business 2016 Audit Report [04/03/2019 04:49:54]
FB-Pro GmbH

Microsoft Skype for Business 2016 Audit Report

Generated by the Excel2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Skype for Business 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:49:54 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.3
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.170

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

This section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
DTOO420 The ability to store user passwords in Skype must be disabled. Compliant True
DTOO421 Session Initiation Protocol (SIP) security mode must be configured. Compliant True
DTOO422 In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP. Compliant True
diff --git a/Samples/Outdated/Office2016Word.dark.html b/Samples/Outdated/Office2016Word.dark.html new file mode 100644 index 0000000..5b5db1b --- /dev/null +++ b/Samples/Outdated/Office2016Word.dark.html @@ -0,0 +1 @@ +Microsoft Word 2016 Audit Report [04/03/2019 04:11:36]
FB-Pro GmbH

Microsoft Word 2016 Audit Report

Generated by the Word2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Word 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:11:36 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.5
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.110

Navigation

Click the link(s) below for quick access to a report section.

Recommandations^

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO110 Blocking as default file block opening behavior must be enforced. Registry key not found. False
DTOO111 The Internet Explorer Bind to Object functionality must be enabled. Registry value: 0. Differs from allowed value: 1. False
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO119 Configuration for file validation must be enforced. Registry value not found. False
DTOO121 Files from the Internet zone must be opened in Protected View. Registry value not found. False
DTOO123 Navigation to URLs embedded in Office products must be blocked. Compliant True
DTOO124 Scripted Window Security must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 Force encrypted macros to be scanned in open XML documents must be determined and configured. Compliant. Registry value not set. True
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant True
DTOO292_b Document behavior if file validation fails must be set. Compliant True
DTOO293 Attachments opened from Outlook must be in Protected View. Compliant True
DTOO302 The automatically update links feature must be disabled. Registry key not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Registry value not found. False
DTOO328 Online translation dictionaries must not be used. Registry key not found. False
DTOO333 Word 2 and earlier binary documents and templates must be blocked for open/save. Registry key not found. False
DTOO334 Word 2000 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO336 Word 6.0 binary documents and templates must be configured for block open/save actions. Registry key not found. False
DTOO337 Word 95 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO338 Word 97 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO339 Word XP binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Registry value not found. False
diff --git a/Samples/Outdated/Office2016Word.html b/Samples/Outdated/Office2016Word.html new file mode 100644 index 0000000..5b7fe62 --- /dev/null +++ b/Samples/Outdated/Office2016Word.html @@ -0,0 +1 @@ +Microsoft Word 2016 Audit Report [04/03/2019 04:11:12]
FB-Pro GmbH

Microsoft Word 2016 Audit Report

Generated by the Word2016Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on DISA Microsoft Word 2016 Security Technical Implementation Guide V1R1 2016-11-14.

This report was generated at 04/03/2019 04:11:12 on DESKTOP-O8FO61D.

HostnameDESKTOP-O8FO61D
Build Number17763
Free disk space(GB) 109.5
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.120

Navigation

Click the link(s) below for quick access to a report section.

Recommandations^

Registry Settings/Group Policies^

Id Task Message Audit
DTOO104 Disabling of user name and password syntax from being used in URLs must be enforced. Compliant True
DTOO110 Blocking as default file block opening behavior must be enforced. Registry key not found. False
DTOO111 The Internet Explorer Bind to Object functionality must be enabled. Registry value: 0. Differs from allowed value: 1. False
DTOO117 Saved from URL mark to assure Internet zone processing must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO119 Configuration for file validation must be enforced. Registry value not found. False
DTOO121 Files from the Internet zone must be opened in Protected View. Registry value not found. False
DTOO123 Navigation to URLs embedded in Office products must be blocked. Compliant True
DTOO124 Scripted Window Security must be enforced. Registry value: 0. Differs from allowed value: 1. False
DTOO126 Add-on Management functionality must be allowed. Registry value not found. False
DTOO127 Add-ins to Office applications must be signed by a Trusted Publisher. Registry value not found. False
DTOO129 Links that invoke instances of Internet Explorer from within an Office product must be blocked. Registry value not found. False
DTOO131 Trust Bar Notifications for unsigned application add-ins must be blocked. Registry value not found. False
DTOO132 File Downloads must be configured for proper restrictions. Registry value not found. False
DTOO133 All automatic loading from trusted locations must be disabled. Registry key not found. False
DTOO134 Disallowance of trusted locations on the network must be enforced. Registry key not found. False
DTOO139 The Save commands default file format must be configured. Registry key not found. False
DTOO142 Force encrypted macros to be scanned in open XML documents must be determined and configured. Compliant. Registry value not set. True
DTOO146 Trust access for VBA must be disallowed. Registry value not found. False
DTOO209 Protection from zone elevation must be enforced. Registry value not found. False
DTOO211 ActiveX Installs must be configured for proper restriction. Registry value not found. False
DTOO288 Files in unsafe locations must be opened in Protected View. Compliant. Registry value not set. True
DTOO292 Document behavior if file validation fails must be set. Compliant True
DTOO292_b Document behavior if file validation fails must be set. Compliant True
DTOO293 Attachments opened from Outlook must be in Protected View. Compliant True
DTOO302 The automatically update links feature must be disabled. Registry key not found. False
DTOO304 Warning Bar settings for VBA macros must be configured. Registry value not found. False
DTOO328 Online translation dictionaries must not be used. Registry key not found. False
DTOO333 Word 2 and earlier binary documents and templates must be blocked for open/save. Registry key not found. False
DTOO334 Word 2000 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO336 Word 6.0 binary documents and templates must be configured for block open/save actions. Registry key not found. False
DTOO337 Word 95 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO338 Word 97 binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO339 Word XP binary documents and templates must be configured to edit in protected view. Registry key not found. False
DTOO600 Macros must be blocked from running in Office files from the Internet. Registry value not found. False
DTOO605 Files on local Intranet UNC must be opened in Protected View. Registry value not found. False
diff --git a/Samples/Outdated/Windows10.html b/Samples/Outdated/Windows10.html new file mode 100644 index 0000000..74d72e7 --- /dev/null +++ b/Samples/Outdated/Windows10.html @@ -0,0 +1,14 @@ +Windows 10 Report [05/14/2019 08:14:34]

Windows 10 Report

Generated by the Windows10Audit Module by FB Pro GmbH. Get it in the Audit Test Automation Package.

Based on Windows 10 Security Technical Implementation Guide V1R16 2019-01-25.

This report was generated at 05/14/2019 08:14:34 on DESKTOP-VSBMIM9.

HostnameDESKTOP-VSBMIM9
Build Number17763
Free disk space(GB) 115.2
Operating SystemMicrosoft Windows 10 Enterprise Evaluation
Free physical memory (GB)0.564

Summary

A total of 640 tests have been run. 503 resulted in false. 0 resulted in warning.

  1. True 132 test(s) ≙ 20.63%
  2. False 503 test(s) ≙ 78.59%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 5 test(s) ≙ 0.78%

Navigation

Click the link(s) below for quick access to a report section.

DISA Recommendations^

TThis section contains all DISA recommendations

Registry Settings/Group Policies^

Id Task Message Audit
WN10-CC-000310 Users must be prevented from changing installation options. Registry key not found. False
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Registry key not found. False
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Registry key not found. False
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Registry value not found. False
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Registry key not found. False
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Registry key not found. False
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Registry key not found. False
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Registry key not found. False
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry key not found. False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-CC-000005 Camera access from the lock screen must be disabled. Registry key not found. False
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Registry key not found. False
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Registry value not found. False
WN10-CC-000025 The system must be configured to prevent IP source routing. Registry value not found. False
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Registry value not found. False
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Registry value not found. False
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Registry key not found. False
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Registry value not found. False
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Registry value not found. False
WN10-CC-000065 Wi-Fi Sense must be disabled. Registry value not found. False
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Registry value not found. False
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry key not found. False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Registry key not found. False
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Registry key not found. False
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Registry value not found. False
WN10-CC-000110 Printing over HTTP must be prevented. Registry key not found. False
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Registry key not found. False
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Registry value not found. False
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Registry value not found. False
WN10-SO-000030 Audit policy using subcategories must be enabled. Registry value not found. False
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Registry key not found. False
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Registry key not found. False
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Registry value not found. False
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Registry key not found. False
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Registry value not found. False
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry key not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Registry key not found. False
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Registry value not found. False
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Registry value not found. False
WN10-CC-000190 Autoplay must be disabled for all drives. Registry value not found. False
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Registry key not found. False
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Registry key not found. False
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Registry key not found. False
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Registry key not found. False
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Registry value not found. False
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Registry key not found. False
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Registry key not found. False
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Registry key not found. False
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Registry key not found. False
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Registry value not found. False
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Registry value not found. False
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Registry value not found. False
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Registry value not found. False
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Registry value not found. False
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Registry key not found. False
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Registry key not found. False
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Registry value: 0. Differs from expected value: 1. False
WN10-CC-000305 Indexing of encrypted files must be turned off. Registry key not found. False
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Registry value not found. False
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Registry value not found. False
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Registry key not found. False
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Registry key not found. False
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Registry value not found. False
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Registry value: 536870912. Differs from expected value: 537395200. False
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value: 0. Differs from expected value: 1. False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Registry value not found. False
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Registry value: 5. Differs from expected value: 2. False
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value: 3. Differs from expected value: 0. False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Registry value not found. False
WN10-CC-000326 PowerShell script block logging must be enabled. Registry key not found. False
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Registry value not found. False
WN10-CC-000038 WDigest Authentication must be disabled. Registry value not found. False
WN10-CC-000044 Internet connection sharing must be disabled. Registry value not found. False
WN10-CC-000197 Microsoft consumer experiences must be turned off. Registry key not found. False
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Registry key not found. False
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Registry key not found. False
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Registry value not found. False
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Registry key not found. False
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment^

Id Task Message Audit
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000070 SW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000085 SW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The following users have too many rights: DESKTOP-VSBMIM9\Guest False
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Not applicable. This audit applies only to MemberWorkstation. None
WN10-UR-000090 SW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The following users have don't have the rights: False
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The following users have too many rights: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. The following users have too many rights: BUILTIN\Backup Operators False
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies^

Id Task Message Audit
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Currently not set. False
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. Currently set to: 0. Expected: not equal 0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Currently not set. False
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Currently set to: 0. Expected: greater than or equal 24 False
WN10-AC-000025 The maximum password age must be configured to 60 days or less. Compliant True
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Currently set to: 0. Expected: greater than or equal 1 False
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. Currently set to: 0. Expected: greater than or equal 14 False
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Currently set to: 0. Expected: equals 1 False
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True
WN10-SO-000140 Anonymous SID/Name translation must not be allowed. Compliant True

Windows Features^

Id Task Message Audit
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions^

Id Task Message Audit
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Unexpected 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' with access 'ReadData, ReadExtendedAttributes, WriteExtendedAttributes, ReadPermissions' False

Registry Permissions^

Id Task Message Audit
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

CIS Benchmarks^

This section contains all benchmarks from CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0 - 03-31-2017. WARNING: Tests in this version haven't been fully tested yet.

Registry Settings/Group Policies^

Id Task Message Audit
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Registry value not found. False
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Registry value not found. False
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.7.2 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Registry value not found. False
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Registry value not found. False
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Registry value not found. False
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Registry value is ''. Expected: pattern match .+ False
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Registry value is '10'. Expected: pattern match ^[43210]$ False
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Registry value is '0'. Expected: pattern match ^(1|2|3)$ False
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Registry value is ''. Expected: equals False
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Registry value not found. False
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Registry value not found. False
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Registry value not found. False
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Registry key not found. False
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Registry key not found. +Registry key not found. False
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' Compliant True
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' Registry value not found. False
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher Compliant True
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: equals 537395200 False
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher Registry value not found. False
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' Compliant True
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' Compliant True
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' Registry value not found. False
2.3.17.2 (L1) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' Compliant True
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' Registry value is '5'. Expected: equals 2 False
2.3.17.4 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' Registry value is '3'. Expected: equals 0 False
2.3.17.5 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' Compliant True
2.3.17.6 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' Compliant True
2.3.17.7 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' Compliant True
2.3.17.8 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' Compliant True
2.3.17.9 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' Compliant True
5.1 (L2) Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled' Registry key not found. False
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' Compliant True
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.6 (L1) Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled' Compliant True
5.7 (L1) Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled' Compliant True
5.8 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' Compliant True
5.9 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.10 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.11 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.12 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' Compliant True
5.13 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.14 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.15 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.16 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.17 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.18 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' Compliant True
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' Compliant True
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' Compliant True
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' Compliant True
5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.31 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.32 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' Compliant True
5.33 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.34 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.35 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' Registry value found. +Registry value is '3'. Expected: equals 4 False
5.36 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.37 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' Registry value is '2'. Expected: equals 4 False
5.38 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.40 (L2) Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.43 (L1) Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled' Registry key not found. False
5.44 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.45 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
5.46 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' Registry value is '3'. Expected: equals 4 False
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Registry key not found. False
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Registry key not found. False
18.1.2.2 (L1) Ensure 'Allow input personalization' is set to 'Disabled' Registry key not found. False
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Registry value not found. False
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed Registry key not found. +Registry key not found. False
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' Registry key not found. False
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' Registry key not found. False
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' Registry key not found. False
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' Registry key not found. False
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' Registry key not found. False
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' Registry value not found. False
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' Registry key not found. False
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Registry value not found. False
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Registry value not found. False
18.3.5 (L1) Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled' Registry key not found. False
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Registry value not found. False
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Compliant True
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' Registry value not found. False
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Registry value not found. False
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Registry value not found. False
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' Registry value not found. False
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Registry value not found. False
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Registry value not found. False
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry value not found. False
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry value not found. False
18.5.4.1 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') Registry value not found. False
18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' Registry key not found. False
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Registry value not found. False
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Registry key not found. False
18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry key not found. False
18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' Registry key not found. False
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry value is '0'. Expected: equals 1 False
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Registry value not found. False
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' Registry value is ''. Expected: pattern match [Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1.*[Rr]equire([Mm]utual[Aa]uthentication|[Ii]ntegrity)=1 False
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') Registry value not found. False
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry key not found. False
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' Registry key not found. False
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled' Registry value not found. False
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' Registry value not found. False
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' Registry value not found. False
18.8.4.1 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Registry key not found. False
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' Registry key not found. False
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' Registry key not found. False
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' Registry key not found. False
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' Registry key not found. False
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' Registry key not found. False
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' Registry key not found. False
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' Registry key not found. False
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Registry key not found. False
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' Registry key not found. False
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' Registry key not found. False
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Registry value not found. False
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Compliant. Registry value not found. True
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' Registry key not found. False
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Registry key not found. False
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Registry key not found. False
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Registry value not found. False
18.8.22.1.7 (L1) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Registry key not found. False
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Registry value not found. False
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Registry value not found. False
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry key not found. False
18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' Registry key not found. False
18.8.26.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Registry key not found. False
18.8.27.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Registry value not found. False
18.8.27.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' Registry value not found. False
18.8.27.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' Registry value not found. False
18.8.27.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Registry value not found. False
18.8.27.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Registry value not found. False
18.8.27.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Registry value not found. False
18.8.33.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' Registry key not found. False
18.8.33.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.33.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Registry key not found. False
18.8.33.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Registry key not found. False
18.8.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.36.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' Registry key not found. False
18.8.36.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' Registry key not found. False
18.8.44.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Registry key not found. False
18.8.44.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' Registry key not found. False
18.8.46.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Registry key not found. False
18.8.49.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Registry key not found. False
18.8.49.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' Registry key not found. False
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Registry key not found. False
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Registry value not found. False
18.9.6.2 (L2) Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled' Registry value not found. False
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry key not found. False
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Registry value not found. False
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Registry value not found. False
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Registry key not found. False
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' Registry key not found. False
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' Registry key not found. False
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.1.14 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' Registry key not found. False
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' Registry key not found. False
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' Registry key not found. False
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' Registry key not found. False
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.11 (BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters' Registry key not found. False
18.9.11.2.12 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled' Registry key not found. False
18.9.11.2.13 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.14 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.15 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.2.16 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' Registry key not found. False
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.19 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM' Registry key not found. False
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM' Registry key not found. False
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM' Registry key not found. False
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM' Registry key not found. False
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' Registry key not found. False
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.11 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.12 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.13 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' Registry key not found. False
18.9.11.3.14 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' Registry key not found. False
18.9.11.3.15 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.16 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' Registry key not found. False
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' Registry key not found. False
18.9.11.4 (BL) Ensure 'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)' is set to 'Enabled: XTS-AES 256-bit' Registry key not found. False
18.9.11.5 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' Registry key not found. False
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry key not found. False
18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Registry key not found. False
18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled' Registry key not found. False
18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Registry key not found. False
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Registry key not found. False
18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Registry value not found. +Registry value not found. False
18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' Registry value not found. False
18.9.16.3 (L1) Ensure 'Disable pre-release features or settings' is set to 'Disabled' Registry key not found. False
18.9.16.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' Registry value not found. False
18.9.16.5 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' Registry key not found. False
18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Registry key not found. False
18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Registry key not found. False
18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' Registry key not found. False
18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' Registry key not found. False
18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' Registry value not found. False
18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' Registry key not found. False
18.9.39.2 (L2) Ensure 'Turn off location' is set to 'Enabled' Registry key not found. False
18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' Registry key not found. False
18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' Registry key not found. False
18.9.45.1 (L2) Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled' Registry key not found. False
18.9.45.2 (L2) Ensure 'Allow Adobe Flash' is set to 'Disabled' Registry key not found. False
18.9.45.3 (L2) Ensure 'Allow InPrivate Browsing' is set to 'Disabled' Registry key not found. False
18.9.45.4 (L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher Registry key not found. False
18.9.45.5 (L1) Ensure 'Configure Password Manager' is set to 'Disabled' Registry key not found. False
18.9.45.6 (L2) Ensure 'Configure Pop-up Blocker' is set to 'Enabled' Registry key not found. False
18.9.45.7 (L2) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' Registry key not found. False
18.9.45.8 (L1) Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled' Registry key not found. False
18.9.45.9 (L2) Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' Registry key not found. False
18.9.45.10 (L2) Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' Registry key not found. False
18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' Registry key not found. False
18.9.57.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' Registry key not found. False
18.9.58.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' Registry value not found. False
18.9.58.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' Registry value not found. False
18.9.58.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' Registry value not found. False
18.9.58.3.9.3 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' Registry value not found. False
18.9.58.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' Registry value not found. False
18.9.58.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' Registry value not found. False
18.9.58.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' Registry value not found. False
18.9.58.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' Registry value not found. False
18.9.59.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' Registry key not found. False
18.9.60.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' Compliant True
18.9.60.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' Registry key not found. False
18.9.60.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' Registry key not found. False
18.9.60.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' Registry key not found. False
18.9.60.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' Registry key not found. False
18.9.65.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' Registry key not found. False
18.9.68.1 (L2) Ensure 'Disable all apps from Windows Store' is set to 'Disabled' Registry key not found. False
18.9.68.2 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' Registry key not found. False
18.9.68.3 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' Registry key not found. False
18.9.68.4 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' Registry key not found. False
18.9.76.3.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' Registry key not found. False
18.9.76.3.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' Compliant True
18.9.76.7.1 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' Registry key not found. False
18.9.76.9.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' Registry key not found. False
18.9.76.10.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' Registry key not found. False
18.9.76.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' Registry key not found. False
18.9.76.13.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' Registry key not found. False
18.9.76.13.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured' Registry key not found. False
18.9.76.13.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' Registry key not found. False
18.9.76.14 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' Registry value not found. False
18.9.77.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' Registry key not found. False
18.9.77.2 (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' Registry key not found. False
18.9.77.3 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' Registry key not found. False
18.9.77.4 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled' Registry key not found. False
18.9.79.1.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' Registry key not found. False
18.9.80.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry value not found. False
18.9.80.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' Registry key not found. False
18.9.80.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' Registry key not found. False
18.9.80.2.3 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' Registry key not found. False
18.9.82.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' Registry key not found. False
18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' Registry key not found. False
18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' Registry key not found. +Registry key not found. False
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' Registry key not found. False
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' Registry key not found. False
18.9.85.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' Registry key not found. False
18.9.86.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' Registry value not found. False
18.9.95.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' Registry key not found. False
18.9.95.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Registry key not found. False
18.9.97.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry key not found. False
18.9.97.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.97.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' Registry key not found. False
18.9.97.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry key not found. False
18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' Registry key not found. False
18.9.97.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.97.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' Registry key not found. False
18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' Registry key not found. False
18.9.101.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Registry key not found. False
18.9.101.1.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' Registry key not found. False
18.9.101.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' Registry key not found. False
18.9.101.2 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Registry key not found. False
18.9.101.3 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' Registry key not found. False
18.9.101.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' Registry key not found. False

User Rights Assignment^

Id Task Message Audit
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' Compliant True
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' The following users have too many rights: Everyone, BUILTIN\Users, BUILTIN\Backup Operators False
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' Compliant True
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' The following users have too many rights: DESKTOP-VSBMIM9\Guest, BUILTIN\Backup Operators False
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' Compliant True
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators False
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' Compliant True
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' Compliant True
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' Compliant True
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' Compliant True
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' Compliant True
2.2.14 (L1) Configure 'Create symbolic links' Compliant True
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' Compliant True
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' The following users have too many rights: DESKTOP-VSBMIM9\Guest False
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' The following users have don't have the rights: False
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' The following users have don't have the rights: False
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' The following users have too many rights: DESKTOP-VSBMIM9\Guest False
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' The following users have don't have the rights: False
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' Compliant True
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' Compliant True
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' The following users have too many rights: Window Manager\Window Manager Group False
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' Compliant True
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' Compliant True
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators, BUILTIN\Performance Log Users False
2.2.29 (L2) Ensure 'Log on as a service' is set to 'No One' The following users have too many rights: NT SERVICE\ALL SERVICES False
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' Compliant True
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' Compliant True
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' Compliant True
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' Compliant True
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' Compliant True
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' The following users have too many rights: NT SERVICE\WdiServiceHost False
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' The following users have too many rights: BUILTIN\Backup Operators False
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' The following users have too many rights: BUILTIN\Backup Operators False
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' Compliant True

Account Policies^

Id Task Message Audit
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Currently set to: 0. Expected: greater than or equal 24 False
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' Compliant True
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' Currently set to: 0. Expected: greater than or equal 1 False
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' Currently set to: 0. Expected: greater than or equal 14 False
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Currently set to: 0. Expected: equals 1 False
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' Compliant True
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' Currently not set. False
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' Currently set to: 0. Expected: greater than 0 False
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' Currently not set. False

Windows Firewall with Advanced Security^

Id Task Message Audit
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.3 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' Set to: No Auditing False
17.2.4 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' Set to: Success False
17.2.5 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.3.2 (L1) Ensure 'Audit Process Creation' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' Set to: Success False
17.5.2 (L1) Ensure 'Audit Group Membership' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.5.3 (L1) Ensure 'Audit Logoff' is set to 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
17.5.6 (L1) Ensure 'Audit Special Logon' is set to 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
17.6.2 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
17.6.3 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' Set to: Success False
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Set to: No Auditing False
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' Set to: No Auditing False
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True

Advanced Audit Policy Configuration^

Id Task Message Audit
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.2 (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.3 (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' Set to: No Auditing False
17.2.4 (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' Set to: Success False
17.2.5 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.3.2 (L1) Ensure 'Audit Process Creation' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to 'Success and Failure' Set to: Success False
17.5.2 (L1) Ensure 'Audit Group Membership' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.5.3 (L1) Ensure 'Audit Logoff' is set to 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
17.5.6 (L1) Ensure 'Audit Special Logon' is set to 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
17.6.2 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
17.6.3 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' Set to: Success False
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to 'Success' Set to: No Auditing +Set to: No Auditing False
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Set to: No Auditing False
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' Set to: No Auditing False
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True